"Sonarqube is an automatic code review tool to detect bugs, vulnerabilities and Code smells in your code base"
- Java 8
- Gradle
- Docker
There are multiple ways to install Sonarqube tool in a machine, even we can use the online SonarCloud as a service to review the quality of the code in our projects.
I've installed Sonarqube by using the next Docker command:
$ docker run -d --name sonarqube -p 9000:9000 sonarqube
Note: By default you can login as admin with password admin. You can see further information following this link.
Other way we can install Sonarqube is downloading the Sonarqube package from its web site.
Sonarqube is an open-source continuous quality integration tool with which we can identify code vulnerabilities, the bugs and the code quality in the code base.
Once we logged in to the Sonarqube platform, we see 5 different sections mentioned as follows:
- Projects
- Issues
- Rules
- Quality Profiles
- Quality Gates
We go to Project section to create a new project in Sonarqube in which both Project key and Display name are required values in the Create new project form.
Project key is a unique identifier for your project. If you are using Maven, make sure the key matches the 'groupid:artifactid' format
In order to analyze our project, we need to follow 2 simple steps. One is to get a token which is generated by the platform and will be used to identify when an analysis is performed. In case it has been compromised, we can revoke it at any point of time in our user account. The second step is to add the Sonarqube plugin to our code base presented as follows:
Gradle
plugins {
id "org.sonarqube" version "2.7"
}
Now, we can use a terminal to execute the next Sonarqube command that will analyze the code base of the project.
./gradlew sonarqube \
-Dsonar.projectKey= <projectKey> \
-Dsonar.host.url=http://localhost:9000 \
-Dsonar.login= <generatedToken>
Once the analysis has been completed, we can visit the Project section in the Sonarqube platform to review the results.
Follow, some important features in Sonarqube platform are mentioned.
Quality Profiles are collections of rules to apply during an analysis. For each language there is a default profile. All projects not explicitly assigned to some other profile will be analyzed with the default. Ideally, all projects will use the same profile for a language, but that's not always practical. For instance, you may find that:
- The technological implementation differs from one application to another (for example, different coding rules may apply when building threaded or non-threaded Java applications).
- You want to ensure stronger requirements on some of your applications (internal frameworks for example).
- Etc.
A Quality Gate is a set of measure-based, boolean conditions. It helps you know immediately whether your ptojects are production-ready. Ideally, all projects will use the same quality gate. Each project's quality gate status is displayed prominently on its home page.
Webhooks notify external services when a project analysis is complete. An HTTP Post request including a JSON payload is sent to each URL. URLs may be specified at both the project and global levels. Project level specification does not replace global level webhooks. All hooks at both level are called.
Further information and details can be found through the Sonarqube Documentation.
https://www.linkedin.com/in/carlos-alberto-avenda%C3%B1o-arango-534b0a137/