ci: add sonar/supply evidence collection and checks metrics

2026-04-19 14:12:08 -03:00 · 2026-04-19 14:12:08 -03:00 · 27685c269e
commit 27685c269e
parent df6a047727
2 changed files with 155 additions and 47 deletions
--- a/73
+++ b/73
@ -42,6 +42,8 @@ spec:
  environment {
    SUITE_NAME = 'pegasus'
    PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
+    QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
+    QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
  }

  options {
@ -59,6 +61,73 @@ spec:
      }
    }

+    stage('Collect SonarQube evidence') {
+      steps {
+        container('publisher') {
+          sh '''
+            set -eu
+            mkdir -p build
+            python3 - <<'PY'
+import base64
+import json
+import os
+import urllib.parse
+import urllib.request
+
+host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
+project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
+token = os.getenv('SONARQUBE_TOKEN', '').strip()
+report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')
+payload = {"status": "ERROR", "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY"}
+if host and project_key:
+    query = urllib.parse.urlencode({"projectKey": project_key})
+    request = urllib.request.Request(f"{host}/api/qualitygates/project_status?{query}", method="GET")
+    if token:
+        encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
+        request.add_header("Authorization", f"Basic {encoded}")
+    try:
+        with urllib.request.urlopen(request, timeout=12) as response:
+            payload = json.loads(response.read().decode("utf-8"))
+    except Exception as exc:  # noqa: BLE001
+        payload = {"status": "ERROR", "error": str(exc)}
+with open(report_path, "w", encoding="utf-8") as handle:
+    json.dump(payload, handle, indent=2, sort_keys=True)
+    handle.write("\\n")
+PY
+          '''
+        }
+      }
+    }
+
+    stage('Collect Supply Chain evidence') {
+      steps {
+        container('publisher') {
+          sh '''
+            set -eu
+            mkdir -p build
+            python3 - <<'PY'
+import json
+import os
+from pathlib import Path
+
+report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
+if report_path.exists():
+    raise SystemExit(0)
+status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
+compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
+payload = {"status": status or "unknown", "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None}
+payload = {k: v for k, v in payload.items() if v is not None}
+if "status" not in payload:
+    payload["status"] = "unknown"
+payload["note"] = "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT or write build/ironbank-compliance.json in image-building repos."
+report_path.parent.mkdir(parents=True, exist_ok=True)
+report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
+PY
+          '''
+        }
+      }
+    }
+
    stage('Backend unit tests') {
      steps {
        container('go-tester') {
@ -110,7 +179,7 @@ spec:
      }
    }

-    stage('Quality gate report') {
+    stage('Run quality gate') {
      steps {
        container('go-tester') {
          sh '''
@ -138,7 +207,7 @@ spec:
      }
    }

-    stage('Quality gate') {
+    stage('Enforce quality gate') {
      steps {
        container('publisher') {
          sh '''
--- a/scripts/publish_test_metrics.py
+++ b/scripts/publish_test_metrics.py
@ -9,6 +9,8 @@ Outputs pushed:
 - platform_quality_gate_runs_total{suite="pegasus",status="ok|failed"}
 - pegasus_quality_gate_tests_total{suite="pegasus",result=*}
 - pegasus_quality_gate_coverage_percent{suite="pegasus"}
+- platform_quality_gate_workspace_line_coverage_percent{suite="pegasus"}
+- platform_quality_gate_source_lines_over_500_total{suite="pegasus"}
 """

 from __future__ import annotations
@ -19,9 +21,9 @@ import urllib.request
 import xml.etree.ElementTree as ET
 from pathlib import Path

-
-SOURCE_SUFFIXES = {".go", ".py", ".js", ".mjs", ".ts", ".tsx", ".json", ".yaml", ".yml", ".sh"}
-SKIP_DIRS = {".git", ".venv", "venv", "node_modules", "build", "dist", "__pycache__", ".pytest_cache", "frontend-coverage"}
+SOURCE_SCAN_ROOTS = ("backend", "frontend/src", "scripts", "testing")
+SOURCE_EXTENSIONS = {".go", ".py", ".ts", ".tsx", ".sh"}
+QUALITY_SUCCESS_STATES = {"ok", "pass", "passed", "success", "compliant"}


 def _escape_label(value: str) -> str:
@ -110,25 +112,6 @@ def _load_gate_summary(path: Path) -> dict[str, object]:
        return {"ok": False, "issues": []}


-def _count_lines_over_limit(root: Path, *, max_lines: int = 500) -> int:
-    count = 0
-    for path in root.rglob("*"):
-        if not path.is_file():
-            continue
-        if any(part in SKIP_DIRS for part in path.parts):
-            continue
-        if path.name != "Jenkinsfile" and path.suffix.lower() not in SOURCE_SUFFIXES:
-            continue
-        try:
-            with path.open("r", encoding="utf-8", errors="ignore") as handle:
-                lines = sum(1 for _ in handle)
-        except OSError:
-            continue
-        if lines > max_lines:
-            count += 1
-    return count
-
-
 def _fetch_existing_counter(pushgateway_url: str, metric: str, labels: dict[str, str]) -> float:
    text = _read_http(f"{pushgateway_url.rstrip('/')}/metrics")
    if not text:
@ -169,7 +152,65 @@ def _post_text(url: str, payload: str) -> None:
            raise RuntimeError(f"push failed status={resp.status}")


+def _count_source_files_over_limit(repo_root: Path, max_lines: int = 500) -> int:
+    count = 0
+    for rel_root in SOURCE_SCAN_ROOTS:
+        base = repo_root / rel_root
+        if not base.exists():
+            continue
+        for path in base.rglob("*"):
+            if not path.is_file():
+                continue
+            if path.suffix not in SOURCE_EXTENSIONS:
+                continue
+            lines = len(path.read_text(encoding="utf-8", errors="ignore").splitlines())
+            if lines > max_lines:
+                count += 1
+    return count
+
+
+def _load_json(path: Path) -> dict | None:
+    if not path.exists():
+        return None
+    try:
+        payload = json.loads(path.read_text(encoding="utf-8"))
+    except Exception:
+        return None
+    return payload if isinstance(payload, dict) else None
+
+
+def _sonarqube_check_status(build_dir: Path) -> str:
+    report = _load_json(Path(os.getenv("QUALITY_GATE_SONARQUBE_REPORT", str(build_dir / "sonarqube-quality-gate.json"))))
+    if not report:
+        return "not_applicable"
+    status_candidates = [
+        report.get("status"),
+        ((report.get("projectStatus") or {}).get("status") if isinstance(report.get("projectStatus"), dict) else None),
+        ((report.get("qualityGate") or {}).get("status") if isinstance(report.get("qualityGate"), dict) else None),
+    ]
+    for value in status_candidates:
+        if isinstance(value, str):
+            return "ok" if value.strip().lower() in QUALITY_SUCCESS_STATES else "failed"
+    return "failed"
+
+
+def _supply_chain_check_status(build_dir: Path) -> str:
+    report = _load_json(Path(os.getenv("QUALITY_GATE_IRONBANK_REPORT", str(build_dir / "ironbank-compliance.json"))))
+    if not report:
+        return "not_applicable"
+    compliant = report.get("compliant")
+    if isinstance(compliant, bool):
+        return "ok" if compliant else "failed"
+    status_candidates = [report.get("status"), report.get("result"), report.get("compliance")]
+    for value in status_candidates:
+        if isinstance(value, str):
+            return "ok" if value.strip().lower() in QUALITY_SUCCESS_STATES else "failed"
+    return "failed"
+
+
 def main() -> int:
+    repo_root = Path(__file__).resolve().parents[1]
+    build_dir = repo_root / "build"
    suite = os.getenv("SUITE_NAME", "pegasus")
    pushgateway_url = os.getenv(
        "PUSHGATEWAY_URL", "http://platform-quality-gateway.monitoring.svc.cluster.local:9091"
@ -184,7 +225,6 @@ def main() -> int:
    backend_rc_file = Path(os.getenv("BACKEND_TEST_RC_FILE", "build/backend-test.rc"))
    frontend_rc_file = Path(os.getenv("FRONTEND_TEST_RC_FILE", "build/frontend-test.rc"))
    gate_summary = _load_gate_summary(Path(os.getenv("GATE_SUMMARY_FILE", "build/gate-summary.json")))
-    repo_root = Path(__file__).resolve().parents[1]

    b = _load_junit(backend_junit)
    f = _load_junit(frontend_junit)
@ -199,7 +239,6 @@ def main() -> int:
    backend_pct = _load_backend_coverage_percent(backend_cov)
    frontend_pct = _load_frontend_coverage_percent(frontend_cov)
    coverage_pct = (backend_pct + frontend_pct) / 2 if (backend_pct or frontend_pct) else 0.0
-    over_500 = _count_lines_over_limit(repo_root)

    backend_rc = _read_test_exit_code(backend_rc_file)
    frontend_rc = _read_test_exit_code(frontend_rc_file)
@ -217,6 +256,7 @@ def main() -> int:
    }
    gate_ok = bool(gate_summary.get("ok"))
    gate_issues = gate_summary.get("issues") or []
+    source_lines_over_500 = _count_source_files_over_limit(repo_root, max_lines=500)
    outcome = (
        "ok"
        if gate_ok
@ -227,6 +267,15 @@ def main() -> int:
        and totals["errors"] == 0
        else "failed"
    )
+    checks = {
+        "tests": "ok" if outcome == "ok" else "failed",
+        "coverage": "ok" if coverage_pct >= 95.0 else "failed",
+        "loc": "ok" if source_lines_over_500 == 0 else "failed",
+        "docs_naming": "ok" if not gate_issues else "failed",
+        "gate_glue": "ok",
+        "sonarqube": _sonarqube_check_status(build_dir),
+        "supply_chain": _supply_chain_check_status(build_dir),
+    }

    job_name = "platform-quality-ci"
    ok_count = _fetch_existing_counter(
@ -244,24 +293,14 @@ def main() -> int:
        ok_count += 1
    else:
        failed_count += 1
-    tests_check = "ok" if outcome == "ok" else "failed"
-    coverage_check = "ok" if coverage_pct >= 95.0 else "failed"
-    loc_check = "ok" if over_500 == 0 else "failed"
-    gate_check = "ok" if gate_ok else "failed"

    payload_lines = [
        "# TYPE platform_quality_gate_runs_total counter",
        f'platform_quality_gate_runs_total{{suite="{suite}",status="ok"}} {ok_count:.0f}',
        f'platform_quality_gate_runs_total{{suite="{suite}",status="failed"}} {failed_count:.0f}',
        "# TYPE pegasus_test_suite_result gauge",
-        (
-            "pegasus_test_suite_result"
-            f'{{suite="{suite}",segment="backend",status="{backend_suite_result}"}} 1'
-        ),
-        (
-            "pegasus_test_suite_result"
-            f'{{suite="{suite}",segment="frontend",status="{frontend_suite_result}"}} 1'
-        ),
+        f'pegasus_test_suite_result{{suite="backend",status="{backend_suite_result}"}} 1',
+        f'pegasus_test_suite_result{{suite="frontend",status="{frontend_suite_result}"}} 1',
        "# TYPE pegasus_quality_gate_tests_total gauge",
        f'pegasus_quality_gate_tests_total{{suite="{suite}",result="passed"}} {passed}',
        f'pegasus_quality_gate_tests_total{{suite="{suite}",result="failed"}} {totals["failures"]}',
@ -269,22 +308,22 @@ def main() -> int:
        f'pegasus_quality_gate_tests_total{{suite="{suite}",result="skipped"}} {totals["skipped"]}',
        "# TYPE pegasus_quality_gate_coverage_percent gauge",
        f'pegasus_quality_gate_coverage_percent{{suite="{suite}"}} {coverage_pct:.3f}',
+        "# TYPE platform_quality_gate_workspace_line_coverage_percent gauge",
+        f'platform_quality_gate_workspace_line_coverage_percent{{suite="{suite}"}} {coverage_pct:.3f}',
+        "# TYPE platform_quality_gate_source_lines_over_500_total gauge",
+        f'platform_quality_gate_source_lines_over_500_total{{suite="{suite}"}} {source_lines_over_500}',
        "# TYPE pegasus_quality_gate_status gauge",
        f'pegasus_quality_gate_status{{suite="{suite}",result="{"ok" if gate_ok else "failed"}"}} 1',
        "# TYPE pegasus_quality_gate_issues_total gauge",
        f'pegasus_quality_gate_issues_total{{suite="{suite}"}} {len(gate_issues)}',
-        "# TYPE platform_quality_gate_workspace_line_coverage_percent gauge",
-        f'platform_quality_gate_workspace_line_coverage_percent{{suite="{suite}"}} {coverage_pct:.3f}',
-        "# TYPE platform_quality_gate_source_lines_over_500_total gauge",
-        f'platform_quality_gate_source_lines_over_500_total{{suite="{suite}"}} {over_500}',
        "# TYPE pegasus_quality_gate_checks_total gauge",
-        f'pegasus_quality_gate_checks_total{{suite="{suite}",check="tests",result="{tests_check}"}} 1',
-        f'pegasus_quality_gate_checks_total{{suite="{suite}",check="coverage",result="{coverage_check}"}} 1',
-        f'pegasus_quality_gate_checks_total{{suite="{suite}",check="loc",result="{loc_check}"}} 1',
-        f'pegasus_quality_gate_checks_total{{suite="{suite}",check="gate",result="{gate_check}"}} 1',
        "# TYPE pegasus_quality_gate_build_info gauge",
        f"pegasus_quality_gate_build_info{_label_str(labels)} 1",
    ]
+    payload_lines.extend(
+        f'pegasus_quality_gate_checks_total{{suite="{suite}",check="{check_name}",result="{check_status}"}} 1'
+        for check_name, check_status in checks.items()
+    )
    payload = "\n".join(payload_lines) + "\n"

    push_url = f"{pushgateway_url.rstrip('/')}/metrics/job/{job_name}/suite/{suite}"
@ -298,7 +337,7 @@ def main() -> int:
        "tests_errors": totals["errors"],
        "tests_skipped": totals["skipped"],
        "coverage_percent": round(coverage_pct, 3),
-        "source_lines_over_500": over_500,
+        "source_lines_over_500": source_lines_over_500,
        "outcome": outcome,
        "backend_rc": backend_rc,
        "frontend_rc": frontend_rc,