Skip to content

carloselpapa10/sonarqube-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 

Repository files navigation

Sonarqube - Demo

"Sonarqube is an automatic code review tool to detect bugs, vulnerabilities and Code smells in your code base"

Prerequisites

- Java 8
- Gradle 
- Docker

Installation

There are multiple ways to install Sonarqube tool in a machine, even we can use the online SonarCloud as a service to review the quality of the code in our projects.

I've installed Sonarqube by using the next Docker command:

$ docker run -d --name sonarqube -p 9000:9000 sonarqube

Note: By default you can login as admin with password admin. You can see further information following this link.

Other way we can install Sonarqube is downloading the Sonarqube package from its web site.

Sonarqube Platform

Sonarqube is an open-source continuous quality integration tool with which we can identify code vulnerabilities, the bugs and the code quality in the code base.

Once we logged in to the Sonarqube platform, we see 5 different sections mentioned as follows:

  • Projects
  • Issues
  • Rules
  • Quality Profiles
  • Quality Gates

We go to Project section to create a new project in Sonarqube in which both Project key and Display name are required values in the Create new project form.

Project key is a unique identifier for your project. If you are using Maven, make sure the key matches the 'groupid:artifactid' format

In order to analyze our project, we need to follow 2 simple steps. One is to get a token which is generated by the platform and will be used to identify when an analysis is performed. In case it has been compromised, we can revoke it at any point of time in our user account. The second step is to add the Sonarqube plugin to our code base presented as follows:

Gradle

plugins {
  id "org.sonarqube" version "2.7"
}

Now, we can use a terminal to execute the next Sonarqube command that will analyze the code base of the project.

./gradlew sonarqube \
  -Dsonar.projectKey= <projectKey> \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login= <generatedToken>

Once the analysis has been completed, we can visit the Project section in the Sonarqube platform to review the results.

Follow, some important features in Sonarqube platform are mentioned.

Quality Profiles

Quality Profiles are collections of rules to apply during an analysis. For each language there is a default profile. All projects not explicitly assigned to some other profile will be analyzed with the default. Ideally, all projects will use the same profile for a language, but that's not always practical. For instance, you may find that:

  • The technological implementation differs from one application to another (for example, different coding rules may apply when building threaded or non-threaded Java applications).
  • You want to ensure stronger requirements on some of your applications (internal frameworks for example).
  • Etc.

Quality Gates

A Quality Gate is a set of measure-based, boolean conditions. It helps you know immediately whether your ptojects are production-ready. Ideally, all projects will use the same quality gate. Each project's quality gate status is displayed prominently on its home page.

Webhooks

Webhooks notify external services when a project analysis is complete. An HTTP Post request including a JSON payload is sent to each URL. URLs may be specified at both the project and global levels. Project level specification does not replace global level webhooks. All hooks at both level are called.

Further information and details can be found through the Sonarqube Documentation.

MSc Carlos Avendaño

https://www.linkedin.com/in/carlos-alberto-avenda%C3%B1o-arango-534b0a137/

Releases

No releases published

Packages

No packages published

Languages