This section is focused on describing how CI is connected to our different scanning tools and how the code scan generates the

resulting reports. 

Currently, we have 3 code scan tools linked in our Jenkins CI:

PurposeLicense and vulnerabilityLicense and vulnerabilityCode coverage from testing

Automatic for all committer groups.

Not in a group? Contact with LFID

On case basis. 

Contact and provide email address to send the invitation to.

Automatic if part of the ONAP GitHub org

Contact for GitHub invite (Include GitHub ID)


All projects must have Nexus IQ scans:

Only few projects are implemented. Rest of the projects is still under discussion.

All projects must have Sonar scans:

Frequency and triggers

Once per week (Saturdays)

Via Gerrit comments: run-clm

Once per week (Saturdays)

Via Gerrit comments: run-whitesource

Via Gerrit comments: run-sonar

Overall process 

Example job:

  • The job triggers a "clean install dependency:tree com.sonatype.clm:clm-maven-plugin:index"
  • A separate step invokes the Nexus IQ scanner using a Jenkins plugi

Example job:

  • The job runs a "clean install" of the code
  • A separate step downloads and runs White Source's Unified Agent to scan the code

Example job:

  • The job runs a "clean install" of the code
  • A separate step runs "org.sonarsource.scanner.maven:sonar-maven-plugin:" to process the sca
Quality GatesHigh thread violations need to be addressed and investigated in case they are false.Currently this is not a release blocker. The reports are being used for testing purposes.

Quality Gate must be above 55% to pass. 

Test coverage is managed by tech teams

Example report!project;id=1387312

  • No labels