Great stuff! Have tested this out and works pretty nicely. Awesome to have self-hosted support as first-class citizen.

Is this the only metric we should expect to see available after integration?

It would be nice to have some pattern matching controls for automatic project > component linking.

• It's challenging currently as most of our SQ projects were imported via the SCM (Github) SQ integration which applies a "<org>_" prefix and "_<GUID>" suffix to each project key. As it's pretty unsightly we're unlikely to change component names in Compass to match.
• Wherever possible, would suggest automatic project matching is a key capability that goes a long way towards surfacing the metric and mass adoption of the feature. That being said, dropping a dashboard link works well, would just help to reduce training if automatic linking had slightly more admin controls.

Would love to see some native support for either Prisma Cloud or Checkov next.

Thanks a ton for the feedback Pete! This is the only metric currently. Especially great note on the SonarQube GitHub import prefixing the org name. I misspoke in my original post about automatic mapping, looks like that is still in the works so this was very helpful. 

Hey Pete, I was trying to find this in the SQ docs but for the GitHub import, is the GUID random and not the name of the repo? Would you be able to share an example? Thanks!

Hey @Josh Campbell

I dug into this a bit. I'll speak to the SonarQube Github (Organizations) integration since that's what we're using, and probably the most common use case. That being said, everything I've seen in the Sonarqube source code suggests it's the same naming structure for all SCM providers.

Worth mentioning, the randomized projects keys are only generated when projects are imported via the web interface. When importing via API, the user-specified `projectKey` paramater is necessary and doesn't get transformed.

Key Sonarqube terms to navigate SQ code:

WS = Web Service
DTO= Data transfer object
ALM = Application Lifecycle Management (Aka DevOps Platform Integration, aka 'DOP').

Example

Using the web interface, I imported, removed, and reimported two test projects from our GitHub organization.

"Github Org": "MyOrg"
"Github Project Name":  "project1"

- MyOrg_project1_a38c0aca-b2b3-4f4e-9997-caa046906e76
- MyOrg_project1_c3dcb300-b390-4458-96f4-a4a124621f99
- MyOrg_project1_992ea7a9-0e6b-4073-ba4d-c535610bdf0a

"Github Org": "MyOrg"
"Github Project Name":  "project2"

- MyOrg_project2_c989d4d0-13f1-43bf-95b2-e7c77b9ff741
- MyOrg_project2_87c5d720-5bcc-42ef-b6cb-3d733b285d94
- MyOrg_project2_6e1058e4-6623-4095-a227-0df1eef58376

Validating in source code:

Regular repos:

Looks to follow `projectKey + PROJECT_KEY_SEPARATOR + uuid` across the board with '_' as separator.

• Can see the project key naming logic here: https://github.com/SonarSource/sonarqube/blob/master/server/sonar-webserver-common/src/main/java/org/sonar/server/common/almintegration/ProjectKeyGenerator.java#L53
  • Sanitization of the project key: https://github.com/SonarSource/sonarqube/blob/master/sonar-core/src/main/java/org/sonar/core/component/ComponentKeys.java#L80
    • I believe the 'MyOrg' prefix in my examples is a result of the Github integration actually surfacing the project name with the full slug - i.e. 'MyOrg/Project1' then sanitization replacing '.' with '_'.
  • UUID generation: https://github.com/SonarSource/sonarqube/blob/master/sonar-core/src/main/java/org/sonar/core/util/UuidFactory.java
• Project key regex validation looks to be found here: https://github.com/SonarSource/sonarqube/blob/b80137d990395bf214dee4c0faf8d1603508ead6/sonar-core/src/main/java/org/sonar/core/component/ComponentKeys.java#L44

Monorepos:

I haven't dug into this as far but looks like the logic for MonoRepos is broken out. Looks to follow the same format though.

Outcome

So to pattern match Compass to SCM imported SQ projects, could do everything between the two underscores if it looks like a UUID is present in the project key.

So, it seems like this integration only passes the Quality Gate metric. Is this correct? If so, this seems pretty limited and not super useful, IMO - I would want at least security hotspots/violations and code coverage as well. At present, it looks like we still need to push these metrics ourself.

Hi @Josh Campbell, this is an interesting feature for us. I agree with Michael that showing some more information in the widgets (like code security violations and test coverage) would be way more useful, but I'm hoping that that's something still on your roadmap to do.

Nevertheless, I cannot seem to make it work. The quality gate metric isn't populated with data, even though I've added the webhook to SonarQube and it is transmitting data. Are there any SonarQube version requirements perhaps?

Any reason why a dashboard link is needed to the SonarQube project to make this work? Our SonarQube instance is behind a VPN, might that be the issue?