Sonar plugin for TIBCO BW 6.x and BWCE projects

What does Sonar plugin for TIBCO BW 6.x / BWCE do?

To perform automated code review and continuous inspection of TIBCO BW 6.x / BWCE projects and EAR files, Sonar plugin is used and it is an extension to SonarQube server that does static analysis and pushes the code violations / issues to server. It leverages BW6 Code Scanner command line or cloud enterprise version to perform the automated code review and upload the results to Sonarqube server.

Sonar plugin for TIBCO BW 6.x / BWCE projects can be included in DevOps pipeline for continuous code quality checks. It can be invoked by Jenkins, Hudson or any similar tools to check for any code violations and break the build if critical or major violations are found in a configurable way. The issues are displayed in Sonarqube GUI and all actions on Sonarqube server like assigning, reducing severity, adding comments etc. are supported.

Analysis of trends in Software quality over a period of time can be performed using BW6CS Sonar plugin as snapshots are stored in SonarQube repo. If you would like a demo of the TIBCO BW 6.x / BWCE plugin, Contact us for an overview of features and to understand how to setup static code analysis for your BW 6.x or BWCE projects.

 

Plugin Details

Key Features

  • Multiple OS Support: BW 6.x / BWCE Sonar plugin for BW6 Code Scanner is compatible with all Sonarqube LTS versions and can be run on any OS or IaaS platform that runs Sonarqube server. Works with BW6 Code Scanner on-premise or Cloud version.
  • Multi-Project Analysis: You can analyze one or more projects in a single run. The plugin identifies all BW6 / BWCE projects and EAR files within a directory and performs a code review on all of them
  • Project Snapshot: Provides a snapshot of number of global variables, processes, resources, transitions and mappings for each project in General Section
  • Security Vulnerabilities check: BW6CS Sonar plugin tags security vulnerabilities with CWE classification. Clicking on CWE tag under Issues displays all the vulnerabilities with their CWE ID and description on how to fix them.
  • Recommendations to Fix: In addition to identifying issues, BW6CS Sonar plugin provides a recommendation on how to fix the issue along with activity name, path details or the GV name / value that needs the fix.
  • Custom Reports: Sonar plugin for BW 6.x / BWCE projects allows option to provide override file similar to BW6 Code Scanner to customize description and other parameters and to ignore any of the rules or process definitions to generate report as per your conventions and guidelines.
 

Installation Steps

BW6CS SonarQube plugin Installation Steps

The steps to install Sonar plugin for TIBCO BW 6.x / BWCE projects are similar to BW5CS Sonar plugin installation as noted in Installation Steps. As described in the link, download SonarQube LTS version, and enterprise version of BW6CS Sonar plugin from download portal. Drop sonar-ccl-tib-bw6cs-plugin-.jar to extensions/plugins folder of Sonarqube server and reboot the server.

 

Configuration Steps for TIBCO BW6/BWCE Sonar plugin

Plugin default setup

  • To setup the default configuration of the plugin, login as a administrator to Sonarqube server
  • Click on Administration on top right hand side. This should take you to Configuration/General Settings by default. If it does not, then click on Configuration and select General Settings. CCL BW6CS Sonar plugin should display on left as shown in image below. BW6CS_Global_config_setup
  • For command line executable name, use bw6cs.bat for Windows or bw6cs.sh for Linux / Unix systems. Global_config_bw6cs_command_line
  • Configure the full absolute path to the directory containing command line version of BW6CS Global_config_bw6cs_command_line_path

Project Level Setup

In addition to default rules override file at Global level, rules override can be setup at Project level for BW6CS Sonar plugin.

  • Click on Projects / / Administration / General Settings. The override file option should be available under CCL BW6CS Sonar plugin as can be seen in the image below. BW6CS_Project_config_rules_override
 

Performing Project Analysis

All Analyzers supported by Sonarqube can be used to run analysis on BW6 / BWCE projects. The only dependency is to ensure proper plugin installation.

sonar-project properties file Configuration

# Unique project key for BW6 project

sonar.projectKey=bw6-newProject

# Name and version displayed in the SonarQube GUI. Mandatory fields prior to SonarQube 6.1.

sonar.projectName=My BWCE project
sonar.projectVersion=1.0

# Optional property if sonar.modules is set.

sonar.sources=.
sonar.language=ccltibbw6

# Specify source code encoding. System encoding is default

sonar.sourceEncoding=UTF-8

# CCL BW6CS Plugin options


#Path for Rules override file. Custom override file that overrides the default value setup in Administration UI

sonar.ccl.cl.fullOverrideFilePath = /opt/ccl/bw6RulesOverride.xml

For additional properties, please refer to SonarQube docs - Analysis Parameters. For example, to invoke remote Sonarqube server, sonar.host.url needs to be configured.

Order of properties evaluation

The order in which the properties are evaluated is similar to what is described in BW5CS Sonarqube plugin - Properties Evaluation Sequence

Running Project Analysis

Analysis of a project with BW6CS Sonar plugin is similar to BW5CS Sonar analysis. Please refer to Analyzing the project

Analysis Review

The screenshots for reviewing Analysis might look different based on your version of Sonarqube server. All the screenshots below are from 6.7.x LTS version

  • After completion of analysis, you can check project snapshot from Projects screen in Sonarqube server UI as shown below. BW6_Project_Snapshot
  • You can check the issues from BW6 project source code analysis classified as Bugs, Vulnerabilities and Code Smells as per the SonarQube convention
  • By clicking on the project name in the screenshot above, you can display the Project overview page as shown below BW6_Project_Overview
  • You can check the Metrics on the number of Processes, Activities, Connections, Global Variables, mappings and transitions by clicking on Measures tab. BW6_Project_Measures
  • To view all the code violations in the source code for the project(s) scanned, click on Issues tab. Each issue shows the description of the code violation for a process definition or a resource along with recommendation on how to fix, followed by Activity/Path and associated configuration name/value. If the issue classifies with a CWE classification, the corresponding CWE-ID is also displayed. The description found here can be overridden using the rules override file at the project level or at Global level as noted above. BW6_Project_Issues
  • Click on Bug, Vulnerability or Code Smells to toggle for different types of issues or click on Critical, Major etc. under Severity to find corresponding issues.
  • By clicking on cwe under Tags, you can list all the violations that are classified with a CWE-ID BW6_roject_CWE
  • The assignment of an Issue can be changed to a specific user, severity can be changed to a different value etc. Basically, all the standard features of Sonarqube can be leveraged for analysis of BW6 / BWCE projects