bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9107796cbe61de68fc28991b643dc4b8da4cd4fa
2nd/10_Wiki/Topics/AI_and_ML/SonarQube.md
T
koriweb d8a80f6272 chore(wiki): dangling 링크 canonical 정규화 (768파일/1200건) 
이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해
끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은
과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업.
도구: Datacollect/scripts/link_reconcile_apply.mjs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-08 12:24:15 +09:00

207 lines
6.5 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-sonarqube
title: SonarQube
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [Sonar, SonarQube Server, Sonar Cloud, SonarLint]
duplicate_of: none
source_trust_level: A
confidence_score: 0.95
verification_status: applied
tags: [code-quality, sast, static-analysis, devsecops, sonarqube]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
language: multi
framework: SonarQube Server 10.x / SonarCloud
---
# SonarQube
## 매 한 줄
> **"매 Clean Code 매 quality gate 의 enforce — bug + vuln + smell + hotspot"**. SonarQube 매 SonarSource 의 self-hosted/cloud SAST + code quality platform, 30+ language support, 매 PR-decoration + branch-analysis. 매 2026 매 SonarQube Server 10.6 LTA + SonarCloud + AI-fix (CodeFix) integration.
## 매 핵심
### 매 4 issue type
1. **Bug**: 매 logical defect (NPE, infinite loop).
2. **Vulnerability**: 매 security flaw (SQL injection, XSS).
3. **Code Smell**: 매 maintainability (cyclomatic, duplication).
4. **Security Hotspot**: 매 manual-review-required (sensitive context, e.g., crypto usage).
### 매 Clean Code attributes (2024+)
- **Consistent**, **Intentional**, **Adaptable**, **Responsible** (4 + 16 sub-attrs).
- 매 legacy A-E rating 매 still present 의 backward-compat.
- 매 issue 매 Clean Code attribute 매 always tag.
### 매 Quality Gate
- 매 PR/branch 매 pass/fail criteria.
- Default ("Sonar way"): 매 new code 매 0 bug, 0 vuln, coverage ≥ 80%, duplication ≤ 3%.
- 매 "Clean as You Code" 매 philosophy: 매 new code 만 strict, 매 legacy 의 grandfather.
### 매 deployment
- **Community Build** (free, OSS): 매 limited rules + no branch/PR analysis.
- **Developer / Enterprise / Data Center** (paid).
- **SonarCloud**: SaaS. 매 OSS public repo 매 free.
- **SonarLint**: 매 IDE plugin (VSCode, IntelliJ, Cursor 2026 native).
### 매 응용
1. CI quality gate.
2. PR decoration (GitHub/GitLab/Bitbucket/Azure DevOps).
3. Compliance reporting (OWASP, CWE, PCI DSS).
4. Tech-debt SQALE rating.
## 💻 패턴
### sonar-project.properties
```properties
sonar.projectKey=acme:web-api
sonar.projectName=ACME Web API
sonar.projectVersion=2.4.0
sonar.sources=src
sonar.tests=tests
sonar.exclusions=**/generated/**,**/node_modules/**
sonar.coverage.exclusions=**/*.test.ts,**/migrations/**
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.python.coverage.reportPaths=coverage.xml
sonar.qualitygate.wait=true
```
### GitHub Actions
```yaml
# .github/workflows/sonar.yml
name: SonarQube
on:
push: { branches: [main] }
pull_request: { types: [opened, synchronize, reopened] }
jobs:
sonar:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 } # full history for blame
- uses: actions/setup-node@v4
with: { node-version: 20 }
- run: npm ci && npm test -- --coverage
- uses: SonarSource/sonarqube-scan-action@v3
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
```
### Maven scan
```bash
mvn verify sonar:sonar \
-Dsonar.projectKey=acme:api \
-Dsonar.host.url=https://sonar.acme.com \
-Dsonar.token=$SONAR_TOKEN \
-Dsonar.qualitygate.wait=true
```
### Docker self-host (SonarQube Server)
```yaml
# docker-compose.yml
services:
sonarqube:
image: sonarqube:10.6-community
ports: ["9000:9000"]
environment:
- SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonar
- SONAR_JDBC_USERNAME=sonar
- SONAR_JDBC_PASSWORD=sonar
volumes:
- sonar_data:/opt/sonarqube/data
- sonar_extensions:/opt/sonarqube/extensions
depends_on: [db]
db:
image: postgres:16
environment:
- POSTGRES_USER=sonar
- POSTGRES_PASSWORD=sonar
- POSTGRES_DB=sonar
volumes: [pg_data:/var/lib/postgresql/data]
volumes:
sonar_data: {}
sonar_extensions: {}
pg_data: {}
```
### Custom Quality Profile (API)
```bash
# Activate rule
curl -u $TOKEN: -X POST \
"$SONAR_URL/api/qualityprofiles/activate_rule" \
--data-urlencode "key=AYxxx" \
--data-urlencode "rule=javascript:S6418" \
--data-urlencode "severity=CRITICAL"
# Set as default
curl -u $TOKEN: -X POST \
"$SONAR_URL/api/qualityprofiles/set_default" \
--data-urlencode "language=js" \
--data-urlencode "qualityProfile=Acme JS Strict"
```
### Quality Gate condition (API)
```bash
curl -u $TOKEN: -X POST \
"$SONAR_URL/api/qualitygates/create_condition" \
-d "gateId=1&metric=new_coverage&op=LT&error=85"
```
### Programmatic gate check
```python
# check_gate.py
import requests, sys, os
r = requests.get(
f"{os.environ['SONAR_URL']}/api/qualitygates/project_status",
params={"projectKey": "acme:api", "branch": "main"},
auth=(os.environ['SONAR_TOKEN'], ''),
)
status = r.json()["projectStatus"]["status"]
print(f"Quality Gate: {status}")
sys.exit(0 if status == "OK" else 1)
```
## 매 결정 기준
| 상황 | Edition |
|---|---|
| OSS public repo | SonarCloud (free) |
| Self-host, no PR analysis | Community Build |
| Mid-size team, PR decoration | Developer Edition |
| Enterprise, multi-branch, security reports | Enterprise Edition |
| Compliance / data-residency | Data Center / self-host |
**기본값**: SonarCloud 매 OSS, Developer Edition 매 commercial team.
## 🔗 Graph
- 부모: [[Static-Analysis]] · [[SAST]] · [[Code-Quality]]
- 변형: [[CodeQL]] · [[Semgrep]]
- 응용: [[Quality-Gate]] · [[CI CD]] · [[Tech-Debt]]
- Adjacent: [[SCA_Fundamentals|SCA]] · [[OWASP Top 10]] · [[Clean-Code]]
## 🤖 LLM 활용
**언제**: 매 issue triage summary, 매 false-positive review, 매 custom rule draft (Sonar Way deviation), 매 SonarLint + Cursor inline-fix.
**언제 X**: 매 deterministic rule eval (use scanner), 매 production gate decision (human approve).
## ❌ 안티패턴
- **All-code strict**: 매 legacy 매 100k issue 의 overwhelm. 매 "Clean as You Code" 의 use.
- **Coverage-only gate**: 매 cov 80% 매 logic untested. 매 mutation testing 의 add.
- **Ignore hotspots**: 매 Security Hotspot 매 review 매 skip. 매 actual vuln 매 hidden.
- **No blame/SCM**: 매 issue ownership 매 unknown. 매 SCM integration 매 must.
- **Self-host no upgrade**: 매 LTA 매 missed → 매 stale rules + CVE on Sonar itself.
## 🧪 검증 / 중복
- Verified (SonarSource docs 10.6 LTA; Clean Code taxonomy 2024; OWASP Top 10 2021 mapping).
- Canonical for SonarQube topic.
- 신뢰도 A.
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — full canonical content (Clean Code + Quality Gate + scanner patterns) |
Reference in New Issue View Git Blame Copy Permalink