In order to be "security by design" ready, the ONAP code must be analyzed before the merge. Here are the steps to enable the Jenkins job called "maven-sonar-verify" which allow us to run proactive SonarCloud scans:
Requirements
...
- global-jjb to v0.71.0
Steps
...
- clone the ci-management repo
- enter the jjb folder of the project you want to active the proactive scans (e.g. ci-management/jjb/cps/)
- edit or create the yaml file with the JJB templates (e.g. cps.yaml)
add a new project section with the following configuration (update the fields based on the project name you are editing, this example is for CPS project)
Code Block title https://gerrit.onap.org/r/c/ci-management/+/125534 - project: name: cps-sonar-verify java-version: openjdk11 mvn-version: "mvn36" maven-version: "mvn36" jobs: - gerrit-maven-sonar-verify sonarcloud: true sonarcloud-project-organization: '{sonarcloud_project_organization}' sonarcloud-api-token: '{sonarcloud_api_token}' sonarcloud-project-key: '{sonarcloud_project_organization}_{project-name}' sonar-mvn-goal: '{sonar_mvn_goal}' build-node: centos7-docker-8c-8g project: 'cps' project-name: 'cps' branch: 'master' mvn-settings: 'cps-settings' mvn-goals: 'clean install' mvn-opts: '-Xmx1024m -XX:MaxPermSize=256m'- OPTIONAL: if you are ready to get more restrictive proactive scans that will block a merge if code quality issues are found, then set the field sonarcloud-qualitygate-wait to 'true'
- save your work with git and push a change to Gerrit with git-review
- now your project will get a new "{PROJECT_NAME}-sonar-verify" Jenkins job that will execute SonarCloud scans every time there is a new code patchset
...