Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-1140

SonarCloud creates projects from personal remote repositories



    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:


      Why - Context

      Currently, as a user, when I sign up on SonarCloud:

      • I don't really know what to do
        • I'm lost because I expect this cloud service to guide me
        • Like this is the case for most cloud services, I would expect SonarCloud to ask me what repositories I want to analyse - but nothing happens
      • When I find the "Get Started", I follow some questions to end up on a command line to execute, for which I have to provide a "project key"
        • Some might ask: what is a "project key"? what should the project key of my repository be?
        • Some might even say: Why is SonarCloud even asking for this? Can't SonarCloud suggest or handle it for me?
        • When I choose a key, my first analysis might fail because it's already taken by someone else and I don't know that project keys are unique across organizations
          • Even worse, because for some kind of projects (Maven for instance), I'm not asked to specify a project key, I hardly understand what to do

      As a user, I would expect things to be simple, and SonarCloud to:

      1. ask which repositories I want to analyse,
      2. create the projects for me,
      3. on the empty projects, give me guidance on how to analyze them (waiting that we have the automatic analysis available!)

      This would happen:

      • the first time I authenticate and want to analyze one or several repositories.
      • every time I want to analyse a new repository.

      Even if this is not our main target, users should still be able to create a project even if it's not related to a remote GH/BB/VSTS repository.

      What - Use Cases

      Restricted scope of this MMF

      In this MMF, we will first restrict the scope of project creation:

      • from *public* repositories located in:
        • GitHub personal organization
        • Bitbucket Cloud personal space
      • into the user's personal organization in SonarCloud

      We'll extend the scope to any repositories in a second step.

      Use cases

      As a new GH/BB user:

      1. When I sign up, SonarCloud asks me what I want to do: analyse a public project, setup SonarCloud for private projects or join a team. I choose "Analyse a public project"
      2. <Installation of the app> TBD
      3. I arrive on a page where I can choose between:
        • Selecting remote public repositories located in my personal organization
          • These repositories can be analyzed only in my personal SonarCloud org => the UX must be clear about this
          • Question: do I have to install the GH or BB app prior to this screen?
        • Choose to create a project if I'm not in the first case
          • In this case, I will be able to choose in which org I want to create the project
      4. Depending on which option I choose:
        • Selection of remote personal public repositories
          1. I select one or more repositories
          2. I click on a button ("Next" for instance)
          3. I end up on the "Projects" page of my personal org where I see the projects created for me, with a clear message that I need to do something so that they get analysed (or if I selected just one project I directly end-up on this Project's homepage)
          4. I click on a project and end up on its home page where I see a tutorial that helps me know what to do
            • This tutorial is equivalent to the one we currently have when I click on "Analyze new project", except that I don't need to select an org and to provide a project key since SonarCloud already knows this
            • Since SC knows the provider I come from, the tutorial can be adapted to be more relevant to my context
        • Creation of project not linked to a personal repo
          1. SonarCloud will ask me to provide an organization (or not if the UX made me choose this before) and to provide a project key (or not if we decide to automatically generate one for the user - TBD)
          2. Once I have provided the required information, I'm redirected to the project home page of the newly created project
          3. On this home page, I see the tutorial that helps me know what to do

      As an existing GH/BB user:

      1. When I click on the top "New project" link (available from the + top right icon), I end up on the same page as when I sign up and click on "Analyse a public project"
        • On that page, if I have already analyzed one of my personal public repositories, I will see that it's already checked in the list of repositories
      2. From that point, I follow the same process as described earlier

      As a non GH/BB user, I don't get to see the selection of personal repositories (as a reminder: this does not exist on VSTS).


      • Trigger installation of GitHub or BBC app in the user's personal organization (= same name as the user)
        • BBC use the installation lifecycle/callback to trigger install and then return to SC
        • GitHub: TBD
      • Use the app credentials to do WS calls to the ALM (list personal repositories)
      • For each selected repository, provision a SonarCloud project in the user SC organization
        • Project key: Generate a unique key that is human friendly. For example <alm organization>_<repository>[_<sequence>]
        • Project name: repository display name
        • Project description: repository description
        • Project links: at least "Sources"
        • Main branch: default branch
        • Store anything needed to display the URL to the repo (cache or recompute?)
        • Store the link between this SC project and the remote ALM/repository. Favor using stable identifier if possible.
      • Scanner:
        • always suggest to pass sonar.projectKey to the scanner -> update the tutorial for Maven and Gradle
        • fix Maven scanner to support propagating projectKey on submodules ( breaking change)
      • PR decoration: use the stored link to decorate PR instead of relying on scanner properties
        • automatically get source and target branch for PRs
      • CE
        • For linked projects, one of the first things done by CE will be to contact the repository to update metadata (project name / description / main branch ...). In case of error (authentication error, app not installed, ...) the CE task will fail so that admins are notified.
        • Don't consider project name/description/links coming from scanner for "linked" projects. Instead refresh everything from WS.
        • Update main branch if changed
          • If the new default branch already exists in SC as long living branch, switch the main branch in SC to it
          • If the new default branch doesn't exists in SC, rename the SC main branch to the new name
          • If the new default branch already exists in SC as a short living branch, drop the short living branch and do a long analysis (TBD, because this choice should be made early on scanner side. Another option is to fail)

      What if the repository is transferred from user account to another user, or to an organization?
      What if there is any problem with the "link"?

      • How to properly notify admins/users?
      • Should we remove the link?
      • Should we fail the next analysis?
      • Should we send notifications?

      Proposal: in case of problem with the "link", we'll continue to process the analysis "at best". This is a first cheap step, that will be improved later.


      • Should we offer to the user a feature to "unlink" and "link" an existing SC project? => Let's do this in another MMF
      • Should we cache WS calls to ALM (like repo list per user) to avoid hitting quota/not depending on WS speed? => solution would be to store list of remote repos (like Travis does) but that's a lot of work


          Issue Links



              fabrice.bellingard Fabrice Bellingard
              fabrice.bellingard Fabrice Bellingard
              1 Vote for this issue
              7 Start watching this issue