C++ example project scanned on SonarQube using GitLab CI

It is very easy to analyze a C, C++ and Objective-C project with SonarQube on GitLab CI:

1. Create a sonar-project.properties file to store your configuration

2. In your .gitlab-ci.yml file:

   1. Configure SonarQube server url (e.g.: https://example.com:9000)

   2. As part of the get-sonar-binaries stage:

      1. Download the Sonar Scanner

      2. Download the Build Wrapper from SonarQube server

      3. Push both binaries to cache, so they can be used in next step

   3. As part of the build stage:

      1. Install cmake package

      2. Pull Sonar Scanner and Build Wrapper from cache

      3. Wrap your compilation with the Build Wrapper

      4. Push Sonar Scanner and build Wrapper output directory to the cache

   4. As part of the sonarqube-check stage:

      1. Pull build wrapper output and Sonar Scanner from cache

      2. Run sonar-scanner, specifying:

         • the property sonar.cfamily.compile-commands with, as its value, bw-output/compile_commands.json, if you are using SonarQube version 10.6 or later

         • the property sonar.cfamily.build-wrapper-output, with value bw-output, if you are using SonarQube version 10.5 or earlier, as build-wrapper did not generate a compile_commands.json file before SonarQube 10.6

         Noting that bw-output is the build wrapper output directory that you pulled from cache.

   5. As part of the sonarqube-vulnerability-report stage:

      1. Pull the vulnerability report resulting from the latest scan

      2. Make its content available to the GitLab CI via the file gl-sast-sonar-report.json

3. Make sure that you have your token stored as a CI variable in your project (SONAR_TOKEN). You can generate and use new tokens in SonarQube.

You can take a look at the sonar-project.properties and .gitlab-ci.yml to see it in practice. Please be aware that the SonarQube server URL is not completed in this .gitlab-ci.yml example.

Documentation

• Documentation of the C, C++ and Objective-C plugin and its Build Wrapper

• Documentation of using SonarQube with Azure DevOps

• Configuring C, C++ and Objective-C analysis cache

• Configuring multithreaded execution

Linux\CMake

A build of the code repository on a Linux platform using CMake build system.

To build the code run:

mkdir build && cd build
cmake ..
make

Code Description

An example of a flawed C++ code. The code repository is meant to be compiled with different build systems using different CI pipelines on Linux, macOS, and Windows.

The code repository is forked into other repositories in this collection to add a specific build system, platform, and CI. The downstream repositories are analyzed either with SonarQube or SonarCloud.

You can find examples for:

• Linux

• macOS

• Windows

Using the following build systems:

• CMake

• GNU Autotools

• Xcode

• MSBuild

Running on the following CI services:

• Azure DevOps

• GitHub Actions

• Travis

• Jenkins

• GitLab CI

• BitBucket Pipelines

• Additionally, generic examples demonstrate integration with other CIs and manual-configuration examples should help you if you are running locally.

Configured for analysis on:

• SonarQube

• SonarCloud

You can find also a few examples demonstrating:

• The use of Compilation Database (compile_commands.json)

• Test coverage

See examples-structure.adoc for a description of the structure of this GitHub organization and the relations between its different repositories.