Include Code Quality for Bitbucket
Include Code Quality for Bitbucket
Breadcrumbs

Changelog

Version 7.x

7.4.0:

⚠️ Announcements

  • Bitbucket 10.0 and Java 21 Support

    • Bitbucket 10.0 includes a major overhaul on how it integrates with the apps, also known as Atlassian Data Center Platform 8. This required many adaptions to make Include Code Quality for Bitbucket to continue to work on Bitbucket 10.0. Features

  • 💥 Removed option to view duplicated code indicators

    • Due to some limitations in Platform 8, this feature was removed from the source code view. This makes the experience consistent between source and pull request code views.

Bug Fixes

  • Fix normalisation of user-configured SonarQube™ server URL, preventing broken links.

7.3.3:

Bug Fixes

7.3.2:

Bug Fixes

  • Fix regression that in of SonarQube™ statistics in the repository source view

    • too much white space above stats on Bitbucket 8.19

    • duplicated UI after selection of a project without analysis

7.3.1:

Bug Fixes

  • Fix regression that could prevent viewing of SonarQube™ statistics in the repository source view when the module directory is empty for a SonarQube™ project configuration.

7.3.0:

⚠️ Announcements / Major changes

  • 💥 Drop support for older EoL Bitbucket versions

    • Raised oldest supported Bitbucket version to Bitbucket 8.9.0

New Features

  • Option to choose a project for the statistics shown in the repository source view.

Improvements

  • Open Links to SonarQube™ in new window, when in a pull request overview

  • Highlight SonarQube™ quality gate state in pull request overview

  • Render validation errors in the client, avoiding potential html injection.

Maintenance

  • ⚙️Updated UI Internals

    • Updates of internal implementation of several UI components.

    • Other than slight changes to the way things look, please let us know if critical functionality is changed unexpectedly or is missing.

Bug Fixes

  • Fix not applied statistics visualization settings in REST API

  • Fix broken issue state annotation actions (Won’t Do, False Positive) in the source view

  • Updated broken links to SonarQube™ documentation

  • Prevent duplicate creation of SonarQube™ Server configurations when an error is reported‍‍‍.

7.2.1:

Bug Fixes

  • Fix a XSS vulnerability in the app’s repositories settings

  • Preventing duplicate project mappings

  • Avoid provisioning useless properties

7.2.0:

Improvements

  • Support for WebSudo

    • Bitbucket 9.0 introduced WebSudo to enhance security around all Admin matters in your Bitbucket instance.

    • Admin settings for Include Code Quality for Bitbucket will now follow the same security standards. You will need a WebSudo session to access the global admin settings page, and to change them.

Bug Fixes

  • Fix Ignore Groups for Quality Gate Merge Checks not working

  • Fix slow loading Repository settings page

    • Cause was potentially slow Webhook validation on page load, which got removed

7.1.0:

Improvements

  • Enhanced SonarQube™ Project Mapping: Increased Flexibility for Multiple Projects in one Repository

    • In version 6.0, we introduced support for mapping multiple SonarQube™ projects to a single repository, with the limitation that each project had to reside in its own sub-path.

    • With version 7.1, this restriction has been lifted, allowing you to associate multiple overlapping projects with a single repository.

    • This offers greater flexibility, adapting more seamlessly to your preferred workflow.

Bug Fixes

  • Fix duplicate file-level issue annotations in source view

  • Fix false-positive warning in Repository settings when using manual webhook configuration

  • Fix missing markers in Source view when “Showing issues” is disabled, for:

    • Coverage

    • Code duplication

7.0.2:

Bug Fixes

  • Fixes NullPointerException in repository settings when an Oracle database is used

  • Handle more than 1000 code insights annotations in a report to avoid exceptions

7.0.1:

Bug Fixes

  • Option "Restrict app to branch pattern" is not working when a branch replacement key is configured

  • "null" is displayed in project name in project mapping dialog under repository settings

7.0.0:

Announcements

  • Bitbucket 9 on Java 17 Support

Bug Fixes

  • Issue links "Details" and "File" in Bitbucket source browser lead to 404 errors

  • NullPointerException when webhook is invoked in project where project key prefix is null, which prevents some repositories from being annotated properly

  • Merge Check Message shows raw HTML tag for token configuration when no user token is configured

Version 6.x

6.1.0:

⚠️ Announcements / Major changes

  • This version only supports Bitbucket version 7 and higher

New Features

  • Support for SonarQube 10

6.0.8: Resolved issue on

Bug Fixes

  • Support SonarQube™ instances with SSO enabled

6.0.7:

Bug Fixes

  • Fix XSRF (Cross Site Request Forgery) vulnerability in settings forms

  • Fix bug where certain group names could not be saved for the Merge Check group override

6.0.6:

Improvements

  • Include the Content-Length header in POST requests to SonarQube™

6.0.5:

Bug Fixes

  • Fix a race condition when creating SonarQube™ configuration

6.0.4:

Bug Fixes

  • Fix links to SonarQube in statistics report

  • Fix detail link to SonarQube in hotspot issue annotation

  • Fix disappearing SonarQube token in server settings

  • Align quality gate status naming to SonarQube (PASSED/FAILED)

  • Fix icon rendering in Bitbucket 6 on pull request overview

  • Fix issue annotation error when author information is not available on a SonarQube issue

6.0.3:

Bug Fixes

  • Prevent invalid SonarQube Display URL input

  • Fix error that prevents user token creation in Bitbucket 8

  • Consider only SonarQube projects that were changed in a pull request for merge checks and statistics overview

6.0.2:

Maintenance

  • Bitbucket 8 compatibility

  • No Bitbucket 6 compatibility for this release, due to incompatible API between Bitbucket 6 and 8.

6.0.1:

Bug Fixes

  • Fixes bug where the Sonar repository configuration page does not work because of a null pointer exception

6.0.0:

⚠️ Announcements / Major changes
New Features

  • Connect multiple SonarQube™ projects to a repository

    • The long awaited feature to support multiple SonarQube projects in a single repository is finally here.

    • See the statistics from SonarQube of all your connected projects in your repository

    • SonarQube issue annotations in PR diff for changes from all connected projects

    • Prevent pull request merges when any of the SonarQube projects has a failed quality gate

    • Connect multiple SonarQube projects to a repository via module directories

Bug Fixes

  • Provisioning does not copy settings

  • Log Spam: WARN [SONAR-10] o.a.h.c.p.ResponseProcessCookies Invalid cookie header

  • Log Spam: Excessive ERROR logs if a user has no personal access token configured

  • Pull request statistics cannot be viewed with new code setting"Reference Branch"

  • SonarQube issue assignee field in pull request does not work

  • Changing issue severity and type in pull request fails in Bitbucket 7

Version 5.x

5.1.0:

New Features

  • Security hotspots in statistics and as pull request annotations

    • The app now shows the security hotspots to review in the pull request and repository statistics.

  • Shows top three languages used in repository and pull request statistics

    • Besides the LOC count, the app now also shows the top three programming languages used for a project within the repository and the pull request statistics.

Bug Fixes

  • Code insight annotations are missing if webhook arrival <60 seconds after last cache load if project already has open pull requests

    • Due to a caching issue, code insight annotations are not added if a new pull request analysis arrives via webhook within a 60 seconds time window since the last cache load (e.g. by opening the open pull request list).

    • The code insight report does not link to the pull request when pull request analysis was used

Security

  • Confirmed that Sonar for Bitbucket does not use log4j and is not affected by CVE-2021-44228 aka Log4Shell.

5.0.3:

Bug Fixes

  • Fix illegal branch character replacement handling for older SonarQube versions

5.0.2:

Bug Fixes

  • Fix link to dashboard on SonarCloud.io and newer SonarQube versions (>9.x)

5.0.1:

Bug Fixes

  • Fix error logs on ref change events in repositories where Sonar for Bitbucket is disabled

  • Fix missing quality gate status link on the pull request detail view for Bitbucket 6.x

5.0.0:

⚠️ Announcements / Major changes
Improvements

  • Simplified SonarQube server configuration by auto-detecting the SonarQube edition

    • The app is now able to configure the SonarQube edition-specific fields like commercial branching/pull request automatically based on the detected SonarQube edition.

  • Improved app’s repository settings and removed obsolete options

    • To make the configuration of the app simpler, we removed obsolete configuration options and re-grouped the existing ones to make the configuration easier to understand.

    • Also, when using project settings inheritance, we now hide the repository-level settings to not confuse the user about which settings are actually taken.

  • Prevent merging in case a SonarQube analysis task is ongoing

    • The app prevents merging a pull request if there is no existing analysis for a pull request. However, it did not prevent merging if the analysis is ongoing in the SonarQube task queue.

    • This situation results from follow-up commits to a PR. The app would then allow merging a PR even though the quality gates could change after the analysis of the follow-up commits.

    • With this release, the app will check if there is an ongoing analysis, and will prevent merging in that case.

  • Improved debug logging for a better support experience

    • The amount of debug logs was reduced in this release to facilitate support sessions. Debug log statements now also contain context information like the repository slug and pull request ID to be able to extract the log statements of interest only.

  • Improved display of Sonar annotations to require less space in the PR diff

    • The old Sonar annotations required a lot of vertical space. Now, annotations only show the most used actions, while less used actions are collapsed by default.

  • Removed compatibility mode for analysis

    • Compatibility mode was introduced to help users of not-supported build systems like .NET Core or when the build-specific analysis support failed due to some reasons (e.g., complex multi-module builds). With compatibility mode, we could make pull request annotation work in such scenarios, at the cost of performance.

    • With the removal of modules and the alignment of component keys with the directory structure in recent SonarQube versions, compatibility mode is obsolete.

  • Improved security and performance! by deprecating username/password authentication

    • The username/password authentication mode is deprecated and hidden for new SonarQube server configurations, thus promoting token-based authentication. Using username/password authentication can produce high CPU load, so that is beside security another reason to switch to token-based auth.

  • Removed entering password/user token in the edit server dialog for every change

    • In older app versions, for every change of the SonarQube server configuration, the user/password had to be entered again. Now, you can change settings without this extra step.

Bug Fixes

  • Only show "Refresh Sonar analysis" button in case the app is enabled for the current repository

  • Provide “Refresh Sonar Analysis” button in Bitbucket 6 as well

  • The project settings inheritance should also be available in forked repositories, as long as they are part of a regular project (and not a personal fork)

  • Sonar code insight report counts issue types as annotations which are not displayed in the pull request diff as they are not on changed lines

  • App does not allow to delete a SonarQube server configuration not being used by any repos

  • Prevent duplicated Sonar server configuration after failed webhook creation

  • Show 'DISABLED' as quality gate status for pull requests when app is disabled

  • Saving the repository settings does not show the chosen SonarQube project key with commercial SonarQube versions >= 8.9

  • Merge checks fail for repos without enabled app configuration

  • Coverage and duplicated lines statistics are not correctly rounded in pull request popup

  • Getting error with status 500 on fork repo source view after forking a repo

  • Webhook call gives error response when no Sonar project is configured for the reported repo

Version 4.x

4.3.2:

Bug Fixes

  • Bug fix for missing annotations if no SCM data in webhook response

4.3.0:

Improvements

  • Allows deletion of SonarQube server configurations

    • When you delete a SonarQube server configuration, you can now select how you want to deal with Bitbucket repositories still using this server configuration:

Bug Fixes

  • Compatibility mode does not work with SonarQube 8.0.0 or newer

    • The app used a deprecated and now removed REST API query parameter to lookup components in SonarQube for the compatibility mode. This resulted in an error, thus making compatibility mode fail in SonarQube 8.0.0 or newer. This has now been fixed.

4.2.4:

Improvements

  • Simplify Merge Check configuration

  • Option to hide access to all sonar projects in repository settings

Maintenance

  • Improved error message when multiple repositories use the same sonar project key

Bug Fixes

  • Fix presentation differences in ‘coverage’ and ‘duplication' measures compared to SonarQube

4.2.3:

Bug Fixes

  • Fix Bitbucket 7.13 support, missing backbone-brace module

4.2.2:

Maintenance

  • Added support for newly introduced Sonar Quality Gates.

Bug Fixes

  • Sonar Quality Gates are not shown in pull request on Bitbucket 6.10

  • A Sonar Server configuration couldn’t be deleted when a User still had a token present.

    • Existing user tokens get now automatically removed with Sonar server configuration.

4.2.1:

Bug Fixes

  • Global app settings requires Super Admin permissions, Admin permissions only lead to a permission error

  • Error occurs when enabling “User-level authentication” without any token configured

  • Return non-successful HTTP error codes from the app in case of webhook problems

  • When there is no SCM reference during Sonar analysis and webhook callback, the app cannot create annotations in Bitbucket

  • An endless "Fetching data from SonarQube..." spinner can be shown in the file source view of Bitbucket

  • Show timeout status label if timeouts occur on pull request and branch lists

  • SonarQube tags cannot be selected in the combo box of the Sonar annotated panel on first render

4.2.0:

Improvements

  • Allow creation of manual webhooks and do not enforce SonarQube admin permissions

    • App version 4.1 configured SonarQube webhooks for the app automatically, and this required SonarQube admin permissions, which were also enforced when configuring a SonarQube server connection.

    • This has now been changed and the app also allows the manual creation of webhooks, and thus SonarQube admin credentials within the app are not required anymore. For manual webhook creation, see our dedicated Wiki page Configure Webhook in SonarQube™.

  • Support SonarQube 7.7 as lower bound version

    • While app version 4.1 required SonarQube >= 7.8, we now also allow 7.7. When using SonarQube 7.7, please make sure to pass -Dsonar.analysis.scmRevision=COMMIT_ID to your SonarQube analysis.

  • Show warning in server settings if the minimum SonarQube version 7.7 is not given

    • The app now displays a warning when the configured SonarQube servers do not have versions >= 7.7 in the SonarQube server settings.

Bug Fixes

  • Error “Field 'NO_SONAR_PROJECT_BEHAVIOUR' does not accept null values” when using project settings inheritance when upgrading from older app versions

  • For main branch with branch in Sonar project key, app shows “component not found” error in source file view

4.1.1:

Bug Fixes

  • Internal server error for /rest/sonar4stash/1.0/sonar-server-configs when upgrading from 2.6.x to 3.x

  • Unable to see Sonar statistics on pull requests with commercial SonarQube editions for branches containing "/"

4.1.0:

Improvements

  • Global SonarQube branch name character replacement option

    • The app provides a repository option to translate unsupported characters in SonarQube branch names. For newer SonarQube versions like 7.9.x and >= 8.4, characters like “/” are not allowed anymore in branch names. As it is inconvenient to change this in all repository settings, the app now also offers a global option for this in the SonarQube server configuration.

  • Prevent using a regular SonarQube account without admin permissions when saving a SonarQube server configuration

    • In recent versions, the app uses SonarQube webhooks to get notified about new analysis results. To install the webhooks, the app needs SonarQube admin permissions. This is now enforced in the app’s SonarQube server configuration page to prevent issues with the proper installation of the webhook.

Bug Fixes

  • Sonar webhook warning on Bitbucket admin page can cause slow page loading

  • When SonarQube project analysis got started but is not finished yet, the app shows an empty quality gate status

  • The error message when users reference a SonarQube server configuration that should get deleted in their personal access tokens page is misleading

Maintenance

  • Removed unused SnakeYaml dependency

4.0.0:

⚠️ Announcements / Major changes

  • App version 4.0 removed some features and requires manual work if you used some of these features or if you provisioned the app’s settings with its REST API.

  • Please follow Migration guide to app version 4 when upgrading from app versions 2.x/3.x to the 4.x version line.

  • Removal of features and configuration setting

    • After much thought, we decided to remove the following features and app settings with this major version upgrade :

      • Custom merge checks => use SonarQube’s own quality gates for the merge checks instead

      • Branch-based analysis build type and use leak period everywhere

      • "Show only new issues" option

      • "Show behind warning" option

      • "Prevent failed or in-progress builds" option

      • "Show quality gate status in lists" option

      • Global settings "thread pool size, timeouts, showing quality gate status"

New Features

  • Support multi-line static code analysis output

    • Some static code analyzers like pydocstyle emit multi-line output for found code violations. To support that, we now consider multiple lines when applying the configured regular expressions to scan the analyzer output.

  • Bitbucket 7 compatibility

    • Some internal changes to allow compatibility with Bitbucket 7.

Improvements

  • Version range of supported SonarQube versions change to 7.8 - 8.x

    • By focusing on versions 7.8 upwards, we could simplify the app’s architecture. There is no need anymore to analyze the underlying build system (Maven, SonarScanner, etc.) because newer SonarQube versions use the file path representation for the component keys, and also because these newer versions deliver the commit SHA with the webhook which allows us to add annotations to Bitbucket with Code Insights more reliably. This will also reduce the analysis processing of the app and the number of requests that are sent to SonarQube which results in a better overall performance.

  • Add user tokens REST endpoint to Swagger REST documentation

    • Document the user tokens REST endpoint /rest/sonar4stash/1.0/user-tokens/USER_SLUG in our REST documentation.

Bug Fixes

  • /tags API call should use organization key, otherwise, it times out on SonarCloud

  • Get rid of CSS AUI padding override which results in a display issue with project / repository path separators

  • Do not log error to Bitbucket log in case a branch got deleted and repository configuration to delete cannot be found

  • Quality gates cannot be copied for SQ versions >= 8.4 due to its change to alphanumeric IDs





SONAR™, SONARQUBE™ and SONARCLOUD™ are independent and trademarked products and services of SonarSource SA: see http://sonarsource.com , http://sonarqube.org , http://sonarcloud.io .