-
Notifications
You must be signed in to change notification settings - Fork 19
SonarCloud
SonarCloud is our primary quality gate tool. It checks for each of the following:
- Issues (previously called code smells)
- Duplication
- Coverage
- Security hotspots
A passing SonarCloud analysis is required as a milestone on all PRs before they can be merged.
SonarCloud will run automatically (via Github actions) on all PRs that are from internal contributions (branches in the repo). SonarCloud will not run on PRs that come from external contributions (forked branch PRs).
A forked branch PR can edit anything in the code base. This includes the Github action workflow files. This means that they could add things like echo "${SONAR_TOKEN}"
to print the SonarCloud token to the console.
Because anyone can fork the repository and submit a PR, Github does not allow access to any of the tokens or secrets on actions that are triggered from forked branch PR.
SonarCloud requires the SONAR_TOKEN
to authenticate the project. Because of this, Sonar Cloud cannot run on forked branch PRs. Unfortunately, this is when we want the SonarCloud analysis the most!
The solution to this is to trigger the analysis manually on your local machine. Once your machine is setup (see instructions below), all you need to do is run the following:
yarn sonar-fork-pr <pr-number>
This will install dependencies, run tests and execute the SonarCloud analysis. When complete, a full report will be available in the SonarCloud project and the SonarBot will upload the results summary to the PR and mark the sonar check as passed or failed.
All of the following steps only need to be done once except for the Github token which you'll need to refresh whenever it expires (you set the expiration).
- Go to this page and sign in
- For "What option best describes your project", select "Other (for JS, TS, Go, Python, PHP, ...)"
- For "Which OS do you run your build on?", select the operating system of your computer (macOS)
- Select
Download
- Unzip the downloaded folder and move it to your root folder
~
- In a terminal, navigate to the new
sonar-scanner
folder and then navigate into the/bin
folder-
cd ~/sonar-scanner-6.2.1.4610-macosx-x64/bin
(on my machine)
-
- Print out the current path by running
pwd
and copy the full path - Add this export to your
.zshrc
,export PATH="MY_COPIED_PATH:$PATH"
, whereMY_COPIED_PATH
is the path you copied to the clipboard on the previous step. A quick way to do this is withecho "export PATH="MY_COPIED_PATH:$PATH"" >> ~/.zshrc
- Run
source ~/.zshrc
to apply the changes - Verify that sonar-scanner is working by running
sonar-scanner -h
in your new terminal
- Add a file to the
react-spectrum-charts/
folder calledlocal.json
- Paste the following contents into
local.json
{ "SONAR_TOKEN": "", "GITHUB_TOKEN": "" }
- Return to this page and copy the value of the sonar token
- Paste the copied token into the
local.json
as the"SONAR_TOKEN"
- Go to Github settings
- Select "Developer settings" form the left navigation
- Select "Personal access tokens" > "Fine-grained tokens"
- Select "Generate new token"
- Give the token a name (ex.
read-only-token
) - Make sure you are the "Resource owner"
- Set the expiration (90 days is recommended)
- Leave access as "Public Repositories (read-only)"
- Generate the token
- Copy the generated token and paste it into you
local.json
as the"GITHUB_TOKEN"
NOTE: You will need to redo this step whenever your GITHUB_TOKEN
expires.
Pull in a branch that currently has an open PR for it and run yarn sonar
. This will run all tests and then execute the sonar analysis.
When I (@marshallpete) first ran into the issue where forked branch PRs cannot access the SONAR_TOKEN
, I tried a workaround where we break the CI pipeline into two steps. The first just installs dependencies, builds, tests and then uploads the test coverage to an artifact.
This would trigger a second action that would checkout the PR code, download the artifacts and use them to run the SonarCloud analysis.
This worked because when you trigger an action off of the completion of another, it runs in the context of our repo. This means it has access to secrets and tokens and therefore can execute the SonarCloud analysis.
The problem with this is it opened the repository up to a couple of vulnerabilities.
A forked branch PR could modify the original build action and upload whatever artifacts they wanted. Then in the follow-up action, when these artifacts get downloaded, they could have malicious content in them, like bash scripts. This means a bad actor could run whatever bash scripts they wanted with full access to tokens and secrets.
This is why we killed the follow up actions and have instead have implemented this method. By pulling the code into your own machine and manually triggering the analysis, there is no possibility of malicious code running.
@adobe/react-spectrum-charts - Adobe 2024
Chart Components
Supplemental Chart Components
Layout Components