Sonarqube (and its cloud-based version, Sonarcloud) is an extremely useful platform that performs static code analysis to evaluate the quality of an entire codebase. It can help to discover bugs, vulnerabilities and bad practices in general. It also allows us to compute code coverage by relying on some well-known plugins. Technically, Sonarqube is a server that can store the results of code analysis
At Ensolvers, we use Sonarcloud in all our projects to ensure the best quality possible in our codebases. In this artcile we describe how we can start using it in an existing Java project.
The first step is to add some required plugins to the Maven pom.xml file - in the <plugins> section
Here we add the "scanner" component of Sonarqube, which is basically a Maven plugin that allows to run the static code analysis via a Maven goal. After this, we can simply run an analysis by running the Maven sonar:sonar goal with the following parameters
The variables described in this invocation must be configured previously in Sonarqube. They describe where (host) the Sonarqube server can be found, the name of the organization and project (to identify it uniquely and upload the results under it) and an auth token. Depending on whether we decide to use an on-premises or SaaS (Sonarcloud) installation the way of obtaining them might vary.
Independently of that, in our case, we also made a full-fledged script to run the code analysis periodically and notify the entire team of the current "quality gate" (general quality measure configured in Sonarqube) of the project. This way, if some critical bug or vulnerability appears, the quality gate score is reduced and the entire team is aware of that
Sonarqube also allows publishing testing coverage metrics by making use of JaCoCo - which is an open-source code coverage analysis library.
First of all, we need to ensure that we have the proper plugins on our POM:
The Surefire plugin is needed to run the tests just before the Maven Sonarqube plugin is executed to generate test reports that will be included in the report. For more information about the Surefire plugin, you can visit the Maven Surefire Plugin page.
The second step for integrating code coverage into our setup is to add JaCoCo as a plugin into the POM
Some notes on this:
Now we can run the code coverage analysis by running the next two commands:
With the first command we generate the data that Sonarqube needs to run the analysis. The second command just run the code analysis, as we have already seen.
Note: Before running the commands make sure you have set the JACOCO_VERSION variable whose value is the version of JaCoCo you installed. And of course the other variables too.
If you want to experiment with Sonarqube and your repository is a private one (which is a limitation for using Sonarcloud in their free version), you can run a Sonarqube server locally on your own. First of all, no changes need to be done on the client side: all scripts, plugins, etc. remain the same. The dependencies are the same we use for sonarcloud. Same dependencies for pom.xml.
With Docker, running a local Sonarqube server is as simple as running
Then we just need to: