Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion: official SonarSource Docker image vs. this repo's image #42

Open
newtmitch opened this issue Nov 25, 2020 · 3 comments
Open

Discussion: official SonarSource Docker image vs. this repo's image #42

newtmitch opened this issue Nov 25, 2020 · 3 comments
Labels
discussion

Comments

@newtmitch
Copy link
Owner

newtmitch commented Nov 25, 2020
edited
Loading

SonarScanner has an official Docker image available, and has for a while. See here and here for details. Although I'm happy to keep my project alive, I'd love to hear from consumers and contributors of this repo about whether the official image is the Better Way™ or if what I've done here has some distinct and specific value that the official image doesn't.

  • why do you use the image from this repo?
  • why do you use the official sonar image instead?

Please leave responses to this issue with your thoughts on using either image.
@newtmitch
Copy link
Owner Author

I tried out the official Sonar Scanner image using the following commands, which align generally with the "try it out locally" commands I have in my README:

docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube

SONARQUBE_URL=sonarqube:9000 && \
docker run \
    --rm \
    --link sonarqube \
    -e SONAR_HOST_URL="http://${SONARQUBE_URL}" \
    -v "$PWD:/usr/src" \
    sonarsource/sonar-scanner-cli \
    sonar-scanner -Dsonar.projectKey=myproject

I ran that image on some local source (python/javascript) of my own followed immediately by the image from this repo on the same source code. Both produced identical results in that one test (not definitive, but "something").

A few things to note about the official source image that differs from the one in this repo:

  • It uses alpine-3.11 as a base image, not openjdk, which means the dependencies are decoupled from the base image.
  • It installs JDK 11 to cover more potential architecture differences - uses apk's architecture output as the basis by which to install, likely in order to provide more options for host compatibility.
  • More secure installs of java and node (and possibly others) by making use of SHA hashes from downloaded archives.
  • Installs python3, shellcheck, pylint, typescript@3, and some other deps that the image in this repo doesn't currently include.
  • Smaller image by about 140MB (514MB -> 380MB).
  • No timezone tomfoolery (I don't remember why I originally did this, but it seems hacky at best).

So I'm interested in the thoughts / feedback from the community about how best to proceed. If you're not using the official image, why not?

@serut
Copy link

serut commented Dec 10, 2020

I migrated easily, I just replaced the image name. I think your image is well ranked on google, that's it.

@sseide
Copy link

sseide commented Apr 1, 2021

original image is missing curl and their busybox-wget is very basic regarding TLS and no HTTP auth support... therefore unusable.
curl/http auth needed to integrate sonarqube into build pipelines and wait for the full scan result (reference here https://stackoverflow.com/questions/44086452/how-to-integrate-sonar-quality-gates-with-gitlab-ci/56494794#56494794)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@serut @sseide @newtmitch