Version 1.2.0
The Black Duck Black Duck SonarQube plugin works through the Black Duck sensor in the sonar-scanner.
To populate a SonarQube instance with data regardless of having the Black Duck SonarQube plugin installed, the sonar-scanner must be run in the base directory of the project to be scanned. This directory requires a sonar-project.properties file where the following fields are specified:
These fields configure project mappings and plugin settings. Configuring the Black Duck SonarQube plugin can also be done through the SonarQube user interface (UI), where you can overwrite the sonar-project.properties file. This can only be done after the initial scan.
extensions/plugins/
directory of your SonarQube installation and then restart the server.For additional version compatibility information, refer to https://docs.sonarqube.org/display/DEV/API+Changes.
To install the Black Duck SonarQube plugin, refer to the SonarQube installation procedures for the manual installation steps at https://docs.sonarqube.org/display/SONAR/Installing+a+Plugin
Get the latest releases for the plugin at https://github.com/blackducksoftware/hub-sonarqube/releases
When the sonar-scanner is run with Black Duck SonarQube installed and configured, it uses inclusion patterns to collect a list of local binaries and compares them with a Black Duck project version. By default, the plugin attempts to locate a Black Duck project version using the name and version from the SonarQube project being scanned. This can be overridden in sonar-project.properties file. Note that Black Duck SonarQube does not perform a Black Duck scan, but instead examines an already-scanned Black Duck project, gathers its Black Duck Bill of Materials (BOM) components, and compares the matched files from the Black Duck to the local files. Metrics are attached to shared components and displayed in the SonarQube UI under Your_project_name > More > Black Duck Black Duck Security Analysis. The displayed metrics are:
Clicking any of these metrics displays the data on a per-file basis.
The following are listings of global and project-level properties for the Black Duck SonarQube plugin.
When the sonar-scanner is run using the Maven goal sonar:sonar, an issue arises where the Hub SonarQube plugin cannot find local binary files. According to the SonarQube documentation found here, "If [the sonar.sources property is] not set, the source code is retrieved from the default Maven source code location."
To fix the issue, sonar.sources should be set to the base directory of the project; ideally using the absolute path to that directory.
Setting this property could produce the error, "File <FILE_NAME> can't be indexed twice. Please check that inclusion/exclusion patterns produce disjoint sets for main and test files." This means you should explicitly set the properties sonar.inclusions and sonar.exclusions. More information on these properties can be found in the SonarQube Analysis Parameters documentation.