This topic gives an introduction to the use of Atlassian Bamboo to run Semmle analysis via the Semmle Analysis for Bamboo plug-in.
You can use Atlassian Bamboo to run Semmle analysis as part of your Continuous Integration (CI) builds in one of two ways:
- Use the Script task, available in a default installation of Bamboo, to define calls to Semmle Core to perform the analysis required.
- Install the Semmle Analysis plug-in for Bamboo and use this to create snapshots, generate Semmle dashboards for deployment to a web server as Project Insight, set up integration with JIRA and publication of data to Enterprise Insight.
See the standard installation and configuration commands for Semmle Core for details of how to define the command-line calls required to perform Semmle analysis. This topic describes how you can use the Semmle Analysis plug-in for Atlassian Bamboo to simplify the process of defining Semmle analysis for continuous integration builds that are administered using Atlassian Bamboo. The key features of the plug-in are:
- The plug-in can be installed using the standard Bamboo add-on administration screens.
- The plug-in adds options to enable you to configure Semmle analysis for the code bases built by a Bamboo task (static languages) or checked out by a Bamboo task (dynamic languages).
- The additional options are presented as a seamless part of the Bamboo interface.
Semmle plug-in options
The plug-in provides options to simplify configuring and running three key steps in Semmle analysis:
- Semmle code-base extraction for a project build job—enabling Semmle Core to create a hierarchical representation of the code base—a snapshot.
- Semmle analysis and dashboard creation—creating a plan to run Semmle analysis on one or more snapshots and create a Semmle dashboard.
- Using and deploying Semmle artifacts—deploying generated artifacts, integrating with JIRA and interfacing with Enterprise Insight.
Installing the plug-in extends the user interface for Atlassian Bamboo as follows:
- Semmle Analysis section added to the Miscellaneous tab for all jobs. Check the Enable Semmle extraction option to allow Semmle to trace the build process of any code built by the job (static languages) and generate a hierarchical representation of the code base (all languages). When Semmle extraction is enabled, the job can be run on any build agent where Semmle Core is installed and the
semmle.odasa.homecapability is defined (see Installing the Semmle Analysis plug-in for Bamboo). The resulting snapshot is available to other jobs as a Bamboo artifact.
- Semmle Dashboard task. An optional task that can be added to a job to create a Semmle dashboard with the results of analyzing one or more snapshots. It optionally allows integration of Semmle analysis with JIRA, and publication of results to Enterprise Insight. Jobs with this task defined can be run on any build agent where Semmle Core is installed and the
semmle.odasa.homecapability is defined. However, it is best to add a requirement to the job so that it is always run on one build agent (using a custom capability, see Installing the Semmle Analysis plug-in for Bamboo). This enables the dashboard task to maintain a history of snapshots so that historic trends can be seen on the dashboard.
- Semmle Admin page added to the Bamboo Administration area. Administrators can use this page to define and manage custom templates. Custom templates are available to users when they configure Semmle extraction for a job or set up a Semmle Dashboard task.
- A working installation of Atlassian Bamboo version 5.7.0 or later.
- A valid license and the installation files for Semmle Core version 1.9.3 or later.
- Install the Semmle Analysis for Bamboo plug-in and set up build agents to enable Semmle analysis. See Installing the Semmle Analysis plug-in for Bamboo.
- Enable Semmle extraction for a project build job to generate a snapshot. See Configuring Semmle extraction for a Bamboo job for details and Tutorial: Basic Semmle extraction in Bamboo for a worked example.
- Create a new plan, define a task to download snapshots generated by the project build plan and define a Semmle Dashboard task to analyze the project. See Defining a Semmle dashboard task for details and Tutorial: Basic Dashboard Creation in Bamboo for a worked example.
See Bamboo plug-in options overview for a full summary of the options available via the Semmle Analysis for Bamboo plug-in.
Build task types supported
The Semmle extraction task, available on the Miscellaneous tab for all jobs when the Semmle plug-in is installed, is supported for use with the following types of Bamboo tasks for building code for projects written using static languages:
- Artifactory Maven
- Artifactory Ivy
- Artifactory Gradle
- Gradle Wrapper
Maven 1.x / 2.x / 3.x
If you use a non-standard or custom build task (one that is not available in the Bamboo default installation, or listed above) to build your code and find that the task does not work with the Semmle Analysis plug-in, consider replacing the task with one of the above tasks. The limitation refers only to the "build step", that is, the task where you invoke the build process for static languages. All types of Bamboo tasks are supported for code checkout, testing, coverage, etc.