SonarQube Tutorial

-
SonarQube Documentation

SonarQube Documentation

SonarQube® software (previously called Sonar) is an open source quality management platform, dedicated to continuously analyze and measure technical quality, from project portfolio to method.

SonarQube Vs SonarLint Vs SonarScanner

  1. SonarQube is a central server that processes full analyses (triggered by the various SonarQube Scanners). Its purpose is to give a 360° vision of the quality of your code base. For this, it analyzes all the source lines of your project on a regular basis.

  2. SonarLint lives only in the IDE (IntelliJ, Eclipse and Visual Studio). Its purpose is to give instantaneous feedback as you type your code. For this, it concentrates on what code you are adding or updating. Both SonarLint and SonarQube rely on the same static source code analyzers - most of them being written using SonarSource technology.

  3. SonarScanners(Recommended) is a plugin that can be integrated with your build system which scans and sends results to standalone SonarQube Server. Plugin available for Maven,Gradle and Ant build systems. This is recommended way to integrated with your project source code.

  4. SonarRunner : is an old name for SonarScanner.

Installing SonarQube locally with docker

Run following command to start sonar server in your local

Docker.command
$/>docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube

Default installation of SonarQube runs at 9000 port with following credentials.

Username

admin

Password

admin

Point your browser to http://localhost:9000 and enter credentials to login. it will prompt you to create token.

Generate token :

Name of the token : MyOrgName

Generated Token : 6f715af92650b0843948f8c26f1f335611dad996
Note
 This token won’t work for your server. This is just demonstration purpose only. you need to generate from your server instance.
Tip
 The token is used to identify you when an analysis is performed. If it has been compromised, you can revoke it at any point of time in your user account. When sonar.forceAuthentication is set to 'true'. we need this token to be included in the sonar configuration.

Integrating SonarQube Scanner with Gradle Project

The SonarQube Scanner for Gradle provides an easy way to start SonarQube analysis of a Gradle project.

The ability to execute the SonarQube analysis via a regular Gradle task makes it available anywhere Gradle is available (developer build, CI server, etc.), without the need to manually download, setup, and maintain a SonarQube Scanner installation.

SonarQube plugin for Groovy

This plugin enables analysis of Groovy within SonarQube.

It depends on the following sub-projects

  1. CodeNarc to raise issues against coding rules

  2. GMetrics for cyclomatic complexity

  3. Cobertura or Jacoco for code coverage.

Compatibility

The SonarQube Scanner for Gradle version 2.x is compatible with Gradle versions 1.12+ and SonarQube versions 5.6+

Configuration

Installation is automatic, but certain global properties should still be configured. A good place to configure global properties is ~/.gradle/gradle.properties. Be aware that we are using System properties so all properties should be prefixed by systemProp.

gradle.properties
systemProp.sonar.host.url=http://localhost:9000

#----- Security (when 'sonar.forceAuthentication' is set to 'true')
systemProp.sonar.login=<token>
systemProp.sonar.dynamicAnalysis=reuseReports
systemProp.sonar.java.coveragePlugin=jacoco
systemProp.sonar.jacoco.reportPaths=build/jacoco/unitTest.exec,build/jacoco/layerTest.exec

Alternatively create sonar.properties in project root director and add these properties without systemProp prefix.

sonar-project.properties
sonar.host.url=http://localhost:9000
sonar.login=<token>
sonar.dynamicAnalysis=reuseReports
sonar.java.coveragePlugin=jacoco
# This is to show test coveate report on sonar UI
sonar.jacoco.reportPaths=build/jacoco/unitTest.exec,build/jacoco/layerTest.exec
Note
 Jacoco , code coverage report will be created in the .exec format under build/jacoco. SonarQube will read and displays on the Web console.

Activate the scanner in your build.gradle

Add following snippet in build.gradle file

build.gradle
plugins {
    id 'jacoco'
    id "org.sonarqube" version "2.6.2"
}
Note
 only buildscript {} and other plugins {} script blocks are allowed before this code.

Jacoco Test Coverage with sonar

Add following code snippet to generate jacoco Report

build.gradle
// NOTE: jacoco always generate code coverage report with `.exec` extension which is not readable

jacocoTestReport {
    //make sure uniTest and layerTest are running before this jacocoTestReport
    //dependsOn unitTest
    reports {
        xml.enabled true
        csv.enabled false
        html.destination file("${buildDir}/jacocoHtml") //revisit this
    }
}
Run analysis

Execute following command and wait until the build has completed, then open the web page indicated at the bottom of the console output. You should now be able to browse the analysis results.

sonar.task
$/>./gradlew sonarqube

Using Sonar in Production ready environment

Default sonar uses in-memory H2 database. if we are running sonar as docker image we need following command to run.

bash.sh
$ docker run -d --name sonarqube \
    -p 9000:9000 -p 9092:9092 \
    -e SONARQUBE_JDBC_USERNAME=sonar \
    -e SONARQUBE_JDBC_PASSWORD=sonar \
    -e SONARQUBE_JDBC_URL=jdbc:postgresql://localhost/sonar \
    sonarqube

alternatively we can deploy in kubernetes cluster

Sonar-Deployment.yml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: sonar
spec:
  replicas: 1
  template:
    metadata:
      name: sonar
      labels:
        app: sonar
    spec:
      containers:
        - image: sonarqube:6.0
          args:
            - -Dsonar.web.context=/
          name: sonar
          env:
            - name: SONARQUBE_JDBC_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: db-info
                  key: password
            - name: SONARQUBE_JDBC_URL
              valueFrom:
                secretKeyRef:
                  name: db-info
                  key: url
          ports:
            - containerPort: 9000
              name: sonar

refer https://github.com/tjkemper/sonar-kubernetes.git for more options.

Unrecognized files

By default, only files that are recognized by a language plugin are loaded into the project during analysis. For example if your SonarQube instance has the Java and JavaScript plugins on board, all .java and .js files will be loaded, but .xml files will be ignored. However, it is possible to import all text files in the analysis encoding in a project by setting Settings > Exclusions > Files > Import unknown files to true.

During Analysis

During analysis, data is requested from the server, the files provided to the analysis are analyzed, and the resulting data is sent back to the server at the end in the form of a report, which is then analyzed asynchronously server-side.

Analyzing with SonarQube Scanner for Jenkins

Refer link for complete details on to integrate with Jenkins

https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Jenkins

Customize Server Settings (TODO)

Adding SonarQube rules in java (TODO)

Writing coding rules in Java is a six-step process:

  1. Create a SonarQube plugin.

  2. Put a dependency on the API of the language plugin for which you are writing coding rules.

  3. Create as many custom rules as required

  4. Generate the SonarQube plugin (jar file)

  5. Place this jar file in the SONARQUBE_HOME/extensions/plugins directory

  6. Restart SonarQube server

Adding Custom Rules

Refer link to custom rules https://docs.sonarqube.org/display/SONAR/Rules

Exclude Specific source files from analysis

The SonarQube Scanner for Gradle adds a SonarQubeExtension extension to project and its subprojects, which allows you to configure/override the analysis properties.

build.gradle
sonarqube {
    properties {
        property "sonar.exclusions", "**/*Generated.java"
    }
}

Comments

Post a Comment

Popular posts from this blog

IBM Datapower GatewayScript

-
Introduction IBM API Assembly Language Introduction GatewayScript is a new transformation technology for API, Web, and Mobile and is available in DataPower. GatewayScript is based on the JavaScript programming language. More precisely, it supports the ECMAScript 5.1 version of the specification. On the DataPower appliance, JavaScript runs in ‘strict’ mode only. The strict mode provides a more consistent and more disciplined behavior. For example, if a script attempts to write a property of a DataPower API object and that object is frozen, an immediate exception is thrown. The ‘strict’ mode behavior supports stronger error checking and handling and increases security. DataPower Playground (GatewayScript Fiddle) IBM DataPower Playground is an interactive website that lets you write GatewayScript code and execute it on a cloud-hosted DataPower Gateway for learning purposes. Available at : https://datapower-playground.mybluemix.net/ GatewayScript provides
Read more

Spring boot Kafka Integration

-
Image
Introduction Introduction K afka is an open source streaming platform which scales very well in a horizontal way without compromising speed and efficiency. The Kafka core is written in Scala , and Kafka Streams and KSQL are written in Java . Features Kafka is a service bus To connect heterogeneous applications, we need to implement a message publication mechanism to send and receive messages among them. A message router is known as message broker . Kafka is a message broker , a solution to deal with routing messages among clients in a quick way. Kafka architecture has two directives The first is to not block the producers (to deal with back pressure). The second is to isolate producers and consumers . The producers should not know who their consumers are, hence the kafka follows the dumb broker and smart clients model. Tip Back pressure is to make applications robust against data surges. when producer generates data higher rate tha
Read more

Spring boot SOAP Web Service Performance

-
Image
Consumng This tutorial walks you through the process of consuming a SOAP-based web service with Spring. It elucidates following items Making parallel calls with RxJava (or WebFlux ) Sending large SOAP message payloads using AXIOM( AXis Object Model) AxiomSoapMessageFactory .(which improves performance) Marshalling( is the process of transforming the memory representation of an object to a data format suitable for storage or transmission) Marshalling (XML Serialization) done with O/X Mappers, different types of mappers out there and choose appropriate one for your need. Castor XML mapping is an open source XML binding framework. It allows you to transform the data contained in a java object model into/from an XML document. By default, it does not require any further configuration, though a mapping file can be used to have more control over the behavior of Castor. The Spring integration classes reside in the org.springframework.oxm.castor pa
Read more