Open-Source Internship opportunity by OpenGenus for programmers. Apply now.
Reading time: 30 minutes | Coding time: 10 minutes
In this article, we will learn to use SonarQube to analyze the code quality of existing projects and understand the different terms involved like code smell, code coverage and many others.
SonarQube: SonarQube is an open source tool licensed under GNU Lesser General Public License.
SonarQube is used to continuously analyze the code quality. Continuous means that SonarQube workflow can be automated given that it is connected with:
- A build tool like Maven, ant, gradle etc.
- A Continuous Integration tool like Jenkins, Atlassian Bamboo, Travis CI etc.
SonarQube provides code report support for more than 20 languages including C, C++, Java, Kotlin, C# etc.
SonarQube offers report on the following parameters:
1. Duplicate Code: Duplication in code refers to the existence of the same sequence of code lines in multiple part of the code base owned by same entity.
Duplication in code increases the number of lines of code which makes it difficult to debug due to large line of code and also due to the fact that changes would have to be done in every duplications.
2. Unit Testing: Various programming languages have a Unit Testing tool (for example: JUnit for Java) which can be integrated with SonarQube to present the result of Unit Test in form of reports.
Unit Testing is used to test the functionality of individual and independent code modules.
3. Code coverage: Code coverage is a numeric value in terms of percentage that defines the amount of code that was tested and executed during the testing based on a given test suite.
It is desired that the code coverage must be maximized to reduce the chances of unidentified bugs in the code.
4. Code Smell: Code smells defines the code structures that do not follow the fundamental design principles of coding (comments, semantics, functions etc.) in a given language which may cause debugging issues later.
Code smells are neither bugs not errors, they don't find what is affecting the normal functionality of the code. They just find out design issues in code which needs refactoring or else they may slow down the system on further development.
5. Bugs: Bugs are errors or faults in the code or its execution which makes the process work in unexpected or unintended manner.
Example: Diving a number by 0 makes the process go into an infinite loop which may lead to segmentation fault or other unexpected event may happen.
6. Vulnerabilities: Vulnerability is a computer security term. SonarQube finds the possible security weakness in the code by implementing basic penetration testing techniques.
Concept Of Quality Gates:
Quality Gates are conditions set on various parameters like bug count, code coverage etc. to be checked on build of a project.
If all conditions are passed, then Quality Gate gives a passed message, else it gives a failed message.
Pre-Requisites
Following software must be installed on the local machine:
- Java JDK 1.8 or above
- Apache Maven 3.3.9 or above
- SonarQube 7.7 or above
Also, a java project using Apache Maven is needed for which we use the two projects we have already covered:
Full Stack Calculator Project on Git
Apache Maven Using Command line on Git
Starting the SonarQube server
- Extract the Zip file of the SonarQube downloaded in a convinient path.
- Go the the SonarQube root folder using command line.
- Enter the /bin/windows-x86-64 folder (Or enter /bin/{OS you are working on})
> cd /bin/windows-x86-64
- Execute the StartSonar.bat file
> StartSonar.bat
- To visit the SonarQube interface, open up a web browser and go to localhost:9000
Wait for some time until SonarQube loads up completely and gives the following home screen:
- Click on Log In and use default credentials for authentication.
Default Credentials:
Username: admin
Password: admin
We finally get the home screen for admin user.
Using SonarQube for Code Analysis of a Java project using Maven
To learn how to create Java projects using Maven, follow this link
Syntax: Use Maven Command line to publish reports to SonarQube
mvn clean install sonar:sonar -Dsonar.host.url=http://localhost:9000 -Dsonar.analysis.mode=publish
Case 1: Code Analysis of Simple Hello World Java project
This is a very simple project with a single source java file printing the Hello World string and thus there is no chances of code smells, vulnerabilities etc.
Download this project from here
Open the command line with path to the root of this folder and type the following command:
mvn clean install sonar:sonar -Dsonar.host.url=http://localhost:9000 -Dsonar.analysis.mode=publish
After getting a Build Success message, go to localhost:9000 on the Web Browser to see the report about the project.
It shows a passed status in green on the right side of the project name mvn-cmd.
This passed status is the Quality Gate check result based on the parameters like:
- Bugs
- Code Coverage
- Vulnerability etc.
Click on the Project Name mvn-cmd to see the detailed report.
This was a very small project with only few lines and thus had no bugs, code smells etc.
Let's create a code analysis report on another project.
Case 2: Code Analysis of Calculator Project in Java using Maven
Download this project from this link
In this project, a four function calculator is made using switch case that takes user input in an infinite loop with exit condition.
On the command line, open the root folder of the project containing pom.xml file and type:
mvn clean install sonar:sonar -Dsonar.host.url=http://localhost:9000 -Dsonar.analysis.mode=publish
On getting a Build Success message, open the SonarQube server and refresh it.
Click on the project name to see the detailed report:
Note: We see that even though the industry prefers code smell must be less than 10 or 15 but here the code smells are 38, still the project has a passed Quality Gate status. This is because the default Quality Gate is used which does not checks the code smell and only checks for code coverage and duplication.
Let's create our own Quality Gate.
Creating a user defined Quality Gate for Projects
Click on Quality Gates button on the top bar of the home page.
We see the following page showing the default Quality Gate:
It can be easily seen that the default Quality Gate checks only the code coverage and the duplications of code rather than the code smells.
Click on Create to create a new Quality Gate for our calculator_devops project.
We name the Quality Gate with same name as our project to avoid confusion but it can have any name.
In the Quality Gate, do the following tasks:
- Set the condition as Code Smell with more than 15 percent fails the project status
- Assign the calculator_devops project with this Quality Gate
- Set this Quality Gate as default so that the default Quality Gate is not used for our project.
Now, re-generate the project report using Maven by using the command:
mvn clean install sonar:sonar -Dsonar.host.url=http://localhost:9000 -Dsonar.analysis.mode=publish
We see the following results
We see the Failed message due to code smell being 38 which is greater than 15.
References/Further Reading
Apache Maven 3.6 Download Link
