From dc288cf2a3c1cb85d33bec8b0b456f87ec4b4232 Mon Sep 17 00:00:00 2001 From: Michael Gumowski Date: Thu, 19 Jun 2025 14:27:22 +0200 Subject: [PATCH 1/3] SCANPY-201 setup shadow scans --- .cirrus.yml | 36 +++++++++++++++++++++++++++++------- sonar-project.properties | 1 + 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 05ddbf1e..20471449 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -5,8 +5,6 @@ env: ARTIFACTORY_DEPLOY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token] ARTIFACTORY_DEPLOY_REPO: sonarsource-pypi-public-qa GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token] - SONAR_TOKEN: VAULT[development/kv/data/next data.token] - SONAR_HOST_URL: https://next.sonarqube.com/sonarqube DEPLOY_PULL_REQUEST: 'true' POETRY_VIRTUALENVS_PATH: "~/.cache/poetry/venvs" POETRY_CACHE_DIR: "~/.cache/poetry/pypoetry" @@ -158,12 +156,10 @@ documentation_task: - poetry run python tools/generate_cli_documentation.py - git diff --exit-code CLI_ARGS.md -analysis_linux_task: +analysis_base_linux_template: &ANALYSIS_BASE_LINUX_TEMPLATE <<: *LINUX_CONTAINER_DEFINITION - alias: analysis - name: "NEXT Analysis" <<: *POETRY_INSTALL - # For NEXT analysis we don't need to set the build versions, but we still need to access jfrog to recover the dependencies + # For analysis we don't need to set the build versions, but we still need to access jfrog to recover the dependencies analysis_script: - poetry run pytest --cov-report=xml:coverage.xml --cov-config=pyproject.toml --cov=src --cov-branch tests - poetry run mypy src/ > mypy-report.txt || true # mypy exits with 1 if there are errors @@ -177,6 +173,30 @@ analysis_linux_task: format: junit type: text/xml +analysis_next_task: + <<: *ANALYSIS_BASE_LINUX_TEMPLATE + alias: sonar_analysis_next + name: "NEXT Analysis" + env: + SONAR_TOKEN: VAULT[development/kv/data/next data.token] + SONAR_HOST_URL: https://next.sonarqube.com/sonarqube + +analysis_SQC_EU_shadow_task: + <<: *ANALYSIS_BASE_LINUX_TEMPLATE + alias: sonar_analysis_shadow_sqc_eu + name: "SQC-EU Shadow Analysis" + env: + SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token] + SONAR_HOST_URL: https://sonarcloud.io + +analysis_SQC_US_shadow_task: + <<: *ANALYSIS_BASE_LINUX_TEMPLATE + alias: sonar_analysis_shadow_sqc_us + name: "SQC-US Shadow Analysis" + env: + SONAR_TOKEN: VAULT[development/kv/data/sonarqube-us data.token] + SONAR_HOST_URL: https://sonarqube.us + qa_task: alias: qa matrix: @@ -275,7 +295,9 @@ its_macos_task: promote_task: depends_on: - formatting - - analysis + - sonar_analysis_next + - sonar_analysis_shadow_sqc_eu + - sonar_analysis_shadow_sqc_us - qa - qa_windows - build diff --git a/sonar-project.properties b/sonar-project.properties index d1528c72..0245a8bb 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -1,5 +1,6 @@ sonar.projectKey=SonarSource_sonar-scanner-python sonar.projectName=Python Scanner +sonar.organization=sonarsource sonar.python.version=3.9,3.10,3.11,3.12,3.13 sonar.python.coverage.reportPaths=coverage.xml sonar.python.mypy.reportPaths=mypy-report.txt From 6272953a6c7e68112ec3ba7099c7df05c7c69b57 Mon Sep 17 00:00:00 2001 From: Michael Gumowski Date: Thu, 19 Jun 2025 15:33:53 +0200 Subject: [PATCH 2/3] SCANPY-201 Fix weird region support for sonarqube.us --- .cirrus/analysis.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.cirrus/analysis.sh b/.cirrus/analysis.sh index f9dcf73e..d964ed59 100644 --- a/.cirrus/analysis.sh +++ b/.cirrus/analysis.sh @@ -1,9 +1,16 @@ #!/bin/bash function run_analysis { + # deal with strange SonarQube configuration for the US region + SONAR_REGION="" + if [ "$SONAR_HOST_URL" == "https://sonarqube.us" ]; then + SONAR_REGION="-Dsonar.region=us" + fi + # extra analysis parameters are set in the 'sonar-project.properties' pysonar \ -Dsonar.host.url="$SONAR_HOST_URL" \ + ${SONAR_REGION} \ -Dsonar.token="$SONAR_TOKEN" \ -Dsonar.analysis.buildNumber=$CI_BUILD_NUMBER \ -Dsonar.analysis.pipeline="$PIPELINE_ID" \ From 4fc7de28ba1c99413e7219d59f2d578cbd45f429 Mon Sep 17 00:00:00 2001 From: Michael Gumowski Date: Fri, 20 Jun 2025 11:42:38 +0200 Subject: [PATCH 3/3] SCANPY-201 Only executes shadow analysis on CRON jobs and master branch --- .cirrus.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 20471449..ecbab533 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -12,6 +12,7 @@ env: # Use bash (instead of sh on linux or cmd.exe on windows) CIRRUS_SHELL: bash JF_ALIAS: "jfrog" + CRON_NIGHTLY_JOB_NAME: "nightly" only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == 'master' || $CIRRUS_BRANCH =~ "branch-.*") linux_container_definition: &LINUX_CONTAINER_DEFINITION @@ -183,6 +184,8 @@ analysis_next_task: analysis_SQC_EU_shadow_task: <<: *ANALYSIS_BASE_LINUX_TEMPLATE + # only executed in CRON job AND on master branch + only_if: $CIRRUS_CRON == $CRON_NIGHTLY_JOB_NAME && $CIRRUS_BRANCH == "master" alias: sonar_analysis_shadow_sqc_eu name: "SQC-EU Shadow Analysis" env: @@ -191,6 +194,8 @@ analysis_SQC_EU_shadow_task: analysis_SQC_US_shadow_task: <<: *ANALYSIS_BASE_LINUX_TEMPLATE + # only executed in CRON job AND on master branch + only_if: $CIRRUS_CRON == $CRON_NIGHTLY_JOB_NAME && $CIRRUS_BRANCH == "master" alias: sonar_analysis_shadow_sqc_us name: "SQC-US Shadow Analysis" env: @@ -296,8 +301,6 @@ promote_task: depends_on: - formatting - sonar_analysis_next - - sonar_analysis_shadow_sqc_eu - - sonar_analysis_shadow_sqc_us - qa - qa_windows - build