Skip to content

Open Source

SonarSource City Tour, We Are Coming Near You

Sonar - Wed, 04/27/2016 - 14:51

Since we love touring and meeting our community of users, we’re setting out on the road once again, this time to more cities than ever! Over the next 6 months you’ll be able to see us and ask any questions you have, in more than 10 cities in Europe and the US.

This year, we are very excited to return to the City Tour to share with you all the news around the SonarQube platform, and show you our latest product: SonarLint, which allows developers to track quality of their code in real time as they type it. Very powerful!

Here is what will be covered at each stop of the tour:

  • The Leak Approach: a new paradigm to manage Code Quality
  • SonarQube 5.x series in demo
  • SonarQube integration to Microsoft ALM
  • SonarLint, the missing piece of the puzzle
  • Customer feedback
  • Sonar Analyzers and well-established standards
  • Roadmap for the platform
  • Roadmap for Sonar Analyzers

It will also be a great opportunity to meet other SonarQube users to share tips and tricks and discuss your experiences with the platform.

Is there something you would like to know or ask us but haven’t had the opportunity to do so? Now’s your chance! Sign up for the free event in your preferred city, and we’ll see you soon!

Registrations are open on our website, so pick the city you want, fill the form and you’ll be all set.

Join the conversation by using #SSCT2016 in all your tweets about the events.

See you soon !

Categories: Open Source

Jenkins 2.0 is here!

Over the past 10 years, Jenkins has really grown to a de-facto standard tool that millions of people use to handle automation in software development and beyond. It is quite remarkable for a project that originally started as a hobby project under a different name. I’m very proud. Around this time last year, we’ve celebrated 10 years, 1000 plugins, and 100K installations. That was a good time to retrospect, and we started thinking about the next 10 years of Jenkins and what’s necessary to meet that challenge. This project has long been on a weekly "train" release model, so it was useful to step back and think about...
Categories: Open Source

Possible Jenkins Project Infrastructure Compromise

Last week, the infrastructure team identified the potential compromise of a key infrastructure machine. This compromise could have taken advantage of, what could be categorized as, an attempt to target contributors with elevated access. Unfortunately, when facing the uncertainty of a potential compromise, the safest option is to treat it as if it were an actual incident, and react accordingly. The machine in question had access to binaries published to our primary and secondary mirrors, and to contributor account information. Since this machine is not the source of truth for Jenkins binaries, we verified that the files distributed to Jenkins users: plugins, packages, etc, were not tampered with. We...
Categories: Open Source

Pipeline 2.x plugins

Those of you who routinely apply all plugin updates may already have noticed that the version numbers of the plugins in the Pipeline suite have switched to a 2.x scheme. Besides aligning better with the upcoming Jenkins 2.0 core release, the plugins are now being released with independent lifecycles. “Pipeline 1.15” (the last in the 1.x line) included simultaneous releases of a dozen or so plugins with the 1.15 version number (and 1.15+ dependencies on each other). All these plugins were built out of a single workflow-plugin repository. While that was convenient in the early days for prototyping wide-ranging changes, it...
Categories: Open Source

Making your own DSL with plugins, written in Pipeline script

In this post I will show how you can make your own DSL extensions and distribute them as a plugin, using Pipeline Script. A quick refresher Pipeline has a well kept secret: the ability to add your own DSL elements. Pipeline is itself a DSL, but you can extend it. There are 2 main reasons I can think you may want to do this: You want to reduce boilerplate by encapsulating common snippets/things you do in one DSL statement. You want to provide a DSL that provides a prescriptive way that your builds work - uniform across your organisations Jenkinsfiles. A DSL could look as simple as acmeBuild { ...
Categories: Open Source

The Need For Jenkins Pipeline

This is a cross-post of an article authored by Viktor Farcic on the CloudBees blog. Viktor is also the author of The DevOps 2.0 Toolkit, which explores Jenkins, the Pipeline plugin, and the ecosystem around it in much more detail. Over the years, Jenkins has become the undisputed ruler among continuous integration (CI), delivery and deployment (CD) tools. It, in a way, defined the CI/CD processes we use today. As a result of its leadership, many other products have tried to overthrow it from its position. Among others, we got Bamboo and Team City attempting to get a piece of the market. At the same time, new products emerged with a service...
Categories: Open Source

Registration is Open for Jenkins World 2016!

This is a guest post by Alyssa Tong. Alyssa works for CloudBees, helping to organize Jenkins community events around the world. Jenkins World 2016 will be the largest gathering of Jenkins users in the world. This event will bring together Jenkins experts, continuous delivery thought leaders and the ecosystem offering complementary technologies for Jenkins. Join us September 13-15, 2016 in Santa Clara, California to learn and explore, network face-to-face and help shape the next evolution of Jenkins development and solutions for DevOps. Registration for Jenkins World 2016 is now live. Take advantage of the Super Early Bird rate of $399 (available until July 1st). And don’t...
Categories: Open Source

Replay a Pipeline with script edits

This is a cross-post of an article authored by Pipeline plugin maintainer Jesse Glick on the CloudBees blog. For those of you not checking their Updates tab obsessively, Pipeline 1.14 [up to 2.1 now] was released a couple of weeks ago and I wanted to highlight the major feature in this release: JENKINS-32727, or replay. Some folks writing "Jenkinsfiles" in the field had grumbled that it was awkward to develop the script incrementally, especially compared to jobs using inline scripts stored in the Jenkins job configuration: to try a change to the script, you had to edit Jenkinsfile in SCM, commit it (perhaps to a branch), and then go back to Jenkins to...
Categories: Open Source

SonarAnalyzer for Java: Tricky Bugs are Running Scared

Sonar - Wed, 04/13/2016 - 14:38

For the past year, the SonarSource team behind the SonarAnalyzer for Java has invested most of its time in developing a Symbolic Execution engine in order to find the kind of tricky bugs that are almost uncatchable by developers unaided.

The SonarAnalyzer for Java’s new symbolic execution engine allows it to statically trace all the execution paths in a piece of code. We’ll probably do a blog post in the near future to explain all the related concepts: Program Point, Program State, Symbolic Value, Control Flow Graph, Stack of Symbolic Values, Constraints on Symbolic Values, … but for the time being let’s just see the engine in action.

Example 1 is a null pointer dereference in the Apache Tika project. The nullability of an object is guessed here from a test done in the code.

Example 2 is also an NPE in the Apache Tika project. This time the nullability is due to a badly handled exception.

Example 3 is a useless condition in the Spark project.

Example 4 returns to Apache Tika with a suspect unreachable branch.

Based on those few examples I guess it’s pretty easy to understand how valuable it can be to quickly get this information early in the development lifecycle. So how can you benefit from the SonarAnalyzer for Java? Either by getting on-the-fly feedback directly in your favorite Java editor with SonarLint for Eclipse or SonarLint for IntelliJ, Or by integrating SonarQube analysis into your build process to continuously feed the SonarQube server.

Tricky bugs are running scared. The hunt is on!

Categories: Open Source

Google Summer of Code. Call for Mentors

As you probably know, Jenkins project has been accepted to Google Summer of Code 2016. During last month we were working with students in order to discuss their project ideas and to review their application drafts. Thanks again to all students and mentors for your hard work during about ten office hours and dozens of other calls/chats! Current status We have successfully handled the student application period We have received a bunch of good project proposals (mentors cannot disclose the number) We have done the preliminary filtering of applications GSoC mentors and organization admins have prepared the project slot application draft Currently we are looking for mentors. We have a...
Categories: Open Source

Security fixes in Script Security Plugin and Extra Columns Plugin

The Script Security Plugin and the Extra Columns Plugin were updated today to fix medium-severity security vulnerabilities. For detailed information about the security content of these updates, see the security advisory. Subscribe to the jenkinsci-advisories mailing list to receive important notifications related to Jenkins security....
Categories: Open Source

Run Your API Tests Continuously with Jenkins and DHC

This is a guest post by Guillaume Laforge. Well known for his contribution to the Apache Groovy project, Guillaume is also the "Product Ninja and Advocate" of Restlet, a company focusing on Web APIs: with DHC (an API testing client), Restlet Studio (an API designer), APISpark (an API platform in the cloud), and the Restlet Framework open source project for developing APIs. Modern mobile apps, single-page web sites and applications, are more and more relying on Web APIs, as the nexus of the interaction between the frontend and the backend services. Web APIs are also central to third-party integration, when you want to share your services with others, or when you need...
Categories: Open Source

Automating test runs on hardware with Pipeline as Code

In addition to Jenkins development, during last 8 years I’ve been involved into continuous integration for hardware and embedded projects. At JUC2015/London I have conducted a talk about common automation challenges in the area. In this blog post I would like to concentrate on Pipeline (formerly known as Workflow), which is a new ecosystem in Jenkins that allows implementing jobs in a domain specific language. It is in the suggested plugins list in the upcoming Jenkins 2.0 release. The first time I tried Pipeline two and half years ago, it unfortunately did not work for my use-cases at all. I was very disappointed but tried it...
Categories: Open Source

Jenkins Community Survey Results

This is a guest post by Brian Dawson at CloudBees, where he works as a DevOps Evangelist responsible for developing and sharing continuous delivery and DevOps best practices. He also serves as the CloudBees Product Marketing Manager for Jenkins. Last fall CloudBees asked attendees at the Jenkins User Conference – US West (JUC), and other in the Jenkins community to take a survey. Almost 250 people did – and thanks to their input, we have results which provided interesting insights into how Jenkins is being used. Back in 2012, at the time of the last community survey, 83% of respondents felt that Jenkins was mission-critical. By 2015, the...
Categories: Open Source

Jenkins 2.0 Release Candidate available!

Those who fervently watch the jenkinsci-dev@ list, like I do, may have caught Daniel Beck's email today which quietly referenced a significant milestone on the road to 2.0 which has been reached: the first 2.0 release candidate is here! The release candidate process, in short, is the final stabilization and testing period before the final release of Jenkins 2.0. If you have the cycles to help test, please download the release candidate and give us your feedback as soon as possible! The release candidate process also means that changes targeting release after 2.0 can start landing in the master branch, laying the groundwork 2.1 and beyond. I pushed the merge to master. So...
Categories: Open Source

Stop planning; fix the leak!

Sonar - Wed, 04/06/2016 - 14:32

So there you are: you’ve finally decided to install the SonarQube platform and run a couple of analyses on your projects, but it unveiled so many issues that your team doesn’t know where to start. Don’t be tempted to start fixing issues here and there! It could be an endless effort, and you would quickly be depressed by the amount of work that remains. Instead, the first thing you should do is make sure your development team fixes the leak. Apply this principle from the very beginning, and it will ensure that your code is progressively cleaned up as you update and refactor over time. This new paradigm is so efficient at managing code quality that it just makes the traditional “remediation plan” approach obsolete. Actually, so obsolete that related features will disappear in SonarQube 5.5: action plans and the ability to link an issue to a third party task management system.

“Why the heck are you dropping useful features? Again!?…”

Well, we’ve tried to dogfood and really use those features at SonarSource ever since we introduced them – but never managed to. Maybe the most obvious reason we never used them is that far before conceptualizing the “Leak” paradigm, we were already fixing the leak thanks to appropriate Quality Gates set on every one of our projects. And while doing so, nobody was feeling the need to rely on action plans or JIRA to manage his/her issues.

There are actually other reasons why those features never got used. First, action plans live only in the SonarQube server, so they don’t appear in your favorite task management system. Because of that, chances are that you will eventually miss the related dead-lines. This is why you might be tempted to “link issues” to your task management system. But this “Link to” feature isn’t any better. Let’s say you’re using JIRA in your company. When you link an issue to JIRA, the SonarQube integration automatically creates a ticket for that issue. So if you want to keep track of 100 issues, you’ll end up with 100 JIRA tickets that aren’t really actionable (you just have a link back to SonarQube to identify every single issue) polluting your backlog. What’s even worse is that when an issue gets fixed in the code, it will be closed during the next SonarQube analysis, but the corresponding ticket in JIRA will remain open! Anyway, issues in the SonarQube server and tickets in JIRA just don’t have the same granularity.

“Still, there are cases when I really want to create a remediation plan. How can I do that?”

As discussed previously, you should really avoid defining a remediation plan, and take the opportunity instead to spend the energy on “fixing the leak” instead. Still, occasionally, you might be forced to do so. The main case we can think of is when you absolutely want to fix critical bugs or vulnerabilities found on legacy code that might really affect your business if they pop up in production. In that scenario, indeed you might want to create a dedicated remediation plan so that your development team gets rid of this operational risk.

The good thing is that SonarQube already has everything you need to clearly identify all those issues and plan a task to make sure they got fixed – whatever task management system you’re using:

  1. In the SonarQube UI:
    1. Start tagging issues you want to fix with a dedicated and specific tag, like “must-fix-for-v5.2″
    2. Create a public “issue filter” that displays only issues tagged with ”must-fix-for-v5.2″
  2. In your task management system:
    1. Create a ticket in which you reference the URL of the issue filter
    2. Set a due date or a version
  3. You’re done! You have a remediation plan that you can manage like any other task and your team won’t forget to address those issues.

“I don’t need anything more then?”

Well, no. Defining remediation plans this way gives the best of both worlds: identifying issues to fix in the SonarQube UI, and planning the correspond effort in your own beloved task management system.

And once again, remember that if your team fixes the leak, chances are you will not need to create a remediation plan any longer. So yes, even if I’m the one who initially developed Action Plans and the “Link to” features a long time ago, I think it’s really time to say bye bye…

Categories: Open Source

SonarQube 5.4 in Screenshots

Sonar - Fri, 04/01/2016 - 08:05

The team is proud to announce the release of 5.4, a more usable and informative version than ever before:

  • New “My Account” space to collect all your data in once place
  • “Execute Analysis” permission can now be granted at the project level
  • OAuth2 support
  • New “Code” page to list and search for the files in your project
  • Server restart from the UI
  • JavaScript and C# plugins embedded by default
  • Cross-module duplication is back!

New “My Account” space to collect all your data in once place

This version of the SonarQube server offers an almost complete overhaul of the “My Account” space to offer developers quicker access to their data:

Now you’ve got all your favorites in one place, and summaries of your personal “leak”, as well as your own personal Issues space:

Of course, you can still manage your notifications:

As well as the analysis tokens associated with your account:

Previously, an administrator had to manage these for you. Now the power is in your hands!

“Execute Analysis” permission can now be granted at project level

Speaking of power, execute analysis permission can now be granted at the project level, so you no longer need god-like powers just to analyze a single project:

OAuth2 support

Also in the security realm, this version adds support for OAuth2. There are already plugins available for GitHub and BitBucket:

Once you’ve installed the appropriate plugin, you’ll find its configurations under Administration > General > Security > [Provider].

New “Code” page to list and search for the files in your project

The venerable Components page has been replaced with a new “Code” space, which offers a more natural code browsing experience. Additionally, it offers a search that’s constrained to your project, versus the global search in the upper right:

Server restart from the UI

Since not everyone who administers a SonarQube instance has direct access to the filesystem, we’ve added the ability to restart the platform from the UI. You’ll find it in the Update Center when there are installs or updates pending:

JavaScript and C# plugins embedded by default

With this release, the JavaScript and C# language plugins join the ranks of the embedded-by-default, in addition to the Java, Git, and SVN plugins:

Cross-module duplication is back!

There’s not a lot to show here, but we’d be remiss in not mentioning the return of cross-module duplication detection. You may remember it was dropped in 5.2 because that version’s extensive changes meant a complete re-write of cross-project and cross-module detection was needed. 5.3 brought back cross-project detection and 5.4 finishes the restoration of the feature.

That’s All, Folks!

Time now to download the new version and try it out. But don’t forget to read the installation or upgrade guide first!

Categories: Open Source

March 2016 St. Petersburg Jenkins Meetup Report

On March 10th we have conducted the second Jenkins meetup in Saint Petersburg, Russia. The meetup topic was "Jenkins and Continuous Delivery". We had 3 talks addressing various aspects of Jenkins usage in this area. Talks Introduction slides [ru] Jenkins 2.0 and Pipeline-as-Code Speaker: Oleg Nenashev, CloudBees Presentation (en) Presentation (ru) Continuous Delivery for Documentation Speaker: Stanislav Ovchar, Motorola Solutions Presentation (ru) Continuous Delivery with Jenkins at ZeroTurnaround Speaker: Sergei Egorov, ZeroTurnaround Presentation (en) We also had a long Jenkins afterparty. Starting from the next meetup we hope to make this part more official. Links St. Petersburg Meetup page (follow the events here) Event page on the Yandex.Events portal St. Petersburg Meetup Twitter Jenkins RU Twitter Jenkins RU Gitter...
Categories: Open Source

Important notice regarding usage statistics

A bug was introduced in Jenkins versions 1.645 and 1.642.2 which caused Jenkins to send anonymous usage statistics, even if the administrator opted-out of reporting usage data in the Jenkins web UI. If you are running one of the affected versions, the best/easiest solution is to upgrade. The bug does not affect Jenkins 1.653 or newer, or Jenkins LTS 1.642.4 or newer. If you cannot upgrade, it is possible to immediately disable submission of usage statistics by running the following script in "Manage Jenkins » Script Console": hudson.model.UsageStatistics.DISABLED = true This will immediately disable usage data submission until you restart Jenkins. To make this permanent, change your Jenkins...
Categories: Open Source

Jenkins 2.0 beta released

We released the Jenkins 2.0 beta earlier today. Download it here and try it! Besides a number of bug fixes and minor improvements, the following changes are new since the last alpha preview release: Redesigned "New Item" page We redesigned the "New Item" page. Item types now have icons to be more visually distinctive. Additionally, item types can now define a category they belong to (such as "Project" or "Folder"). Once the complexity of the "New Item" page reaches a certain threshold, the item types will be grouped into categories to be easier to find. However, for now, it's unlikely that you will see...
Categories: Open Source