Posted on by ProTechSkills

SonarQube + Maven

SonarQube (previously known as Sonar) is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.

 

SonarQube is open-source for continuous inspection of code quality. Sonar is a web based code quality analysis tool for MAVEN based JAVA projects. It covers a wide area of code quality checkpoints which include: Architecture & Design, Complexity, Duplications, Coding Rules, Potential Bugs, Unit test etc.

It offers reports like

  • Duplicated code
  • Coding Standards
  • Unit Tests
  • Code Coverage
  • Code Complexity
  • Potential Bugs
  • Comments
  • Design & Architecture Integrable with CI, Maven, Ant, Gradle. Supports languages: Java (including Android), C/C++, Objective-C, C#, PHP, Flex, Groovy, JavaScript, Python, PL/SQL, COBOL, Swift, etc.
    Integrates with Eclipse, Visual Studio, and IntelliJ IDEA development environments through the SonarLint plugins
  • Integrates with external tools: JIRA, Mantis, LDAP, Fortify, etc.
  • Is expandable with the use of plugins.

 

Now let’s jump onto Maven SonarQube integration.
The very first thing we need to do is to launch the SonarQube dashboard on the browser. Let’s see How to do this.

Step1. Download the latest stable release of SonarQube and unzip it to your favorite directory.
https://www.sonarqube.org/downloads/
Step2.Start the SonarQube server

For Windows
YOUR_DIR_PATH\sonarqube\bin\windows-x86-xx\StartSonar.bat
For other operating systems like Linux/Ubuntu
YOUR_DIR_PATH/sonarqube/bin/[OS]/sonar.sh console

That’s how we run the SonarQube Server
sonar-command

Step3. Once the SonarQube Server is up and running then you can visit the SonarQube Dashboard at http://localhost:9000(default System administrator credentials are admin/admin)
By default, the SonarQube runs on 9000 port.

Now that, SonarQube Server is up and running we are good to integrate our project(Maven)into it and do the continuous inspection of code quality.

That is how the SonarQube dashboard looks like

integrate your project to SonarQube

 

Let’s integrate our Maven project with SonarQube.

Before we could integrate our Maven project to SonarQube, We will need to integrate SonarQube Scanner in our POM.XML.

SonarQube Scanner is recommended since it is the default launcher to analyze a project with SonarQube.

Let’s see How to integrate Sonar-Scanner with Maven project in POM.XML
We will need to add the following dependency

<!-- https://mvnrepository.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin -->
<dependency>
 <groupId>org.sonarsource.scanner.maven</groupId>
 <artifactId>sonar-maven-plugin</artifactId>
 <version>3.9.0.2155</version>
</dependency>

Followed by the profile

<profiles>
<profile>
<id>sonar</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<!-- Optional URL to server. Default value is http://localhost:9000 -->
<sonar.host.url>
http://localhost:9000
</sonar.host.url>
</properties>
</profile>
</profiles>

// You can also replace the localhost with IP where sonar server is running

Now, that you are done integrating Sonar- Scanner into the POM.XML file.

Our one last task would be, To run the following commands to generate the reports of our project on SonarQube Dashboard at http://localhost:9000

1. mvn clean //to clean the existing resources
2. mvn install
3. mvn sonar:sonar //to generate the reports, this command generates the report and move the reports to SonarQube dashboard. You can view your reports under project section of the Dashboard

Or you can also say mvn clean install sonar:sonar // to generate reports

That’s how the dashboard looks like after project integration
project-integration

integrate your project to SonarQube

Discovered issues can either be a Bug, Vulnerability, Code Smell, Coverage or Duplication. Each category has a corresponding number of issues or a percentage value.

Moreover, issues can have one of five different severity levels: blocker, critical, major, minor and info. Just in front of the project name is an icon that displays the Quality Gate status – passed (green) or failed (red).

Clicking on the project name will take us to a dedicated dashboard where we can explore issues particular to the project in greater detail.

We can see the project code, activity and perform administration tasks from the project dashboard – each available on a separate tab.

Share this:

Leave a Reply

Your email address will not be published. Required fields are marked *