Code quality is arguably one of the most important parts of Software Development – badly written code can cost time and money as you’ll waste time working out what code actually does before you can do anything with it. There are many ways to prevent bad quality code from being written, but they often involve spending lots of time training people and breaking bad habits (and we all know how much some people like change). Enter SonarQube – the automated code quality inspection tool.
So… what exactly is SonarQube?
SonarQube is a free (there’s also a paid version offering more features and support for enterprise) tool that provides continuous inspection and analysis of code quality (much like Hudson or Jenkins do continuous integration) checking your codebase for bugs, vulnerabilities and code smells, and presents it all in a nice report with lots of detail. As with most things, by automating code quality checks, developers like myself can enjoy spending more time working on cool new projects and features
while a robot does the boring parts my job for me.
However, SonarQube doesn’t do everything – practices such as peer code reviews and allocating time each week to reduce existing technical debt are still necessary. What SonarQube does best is improving code quality by preventing more issues getting into the codebase – there isn’t much point in fixing an issue if you aren’t going to try and stop it from happening again in the first place!
The SonarQube platform is made up of multiple parts:
This processes and manages code analysis reports and provides a nice little front end so you can view everything wrong with your code and configure SonarQube.
This simply stores any configurations and all the report data / code quality snapshots.
These provide additional functionality such as support for different SCM engines, authentication, and integration for tools such as Google Analytics, GitHub and GitLab.
These are what actually scan your code – they can run either locally or on your Build / CI servers, analyzing projects and reporting back to the server.
You can also get SonarLint, an IDE extension that provides real-time code analysis in your IDE, helping to fix and avoid potential issues before you commit. Even better, SonarLint is standalone. You don’t need to set up a SonarQube server – just install the plugin and you’re ready to go!
You can find more info on how SonarQube works and where it fits in here.
Getting set up:
There are many different ways to set up SonarQube, depending what language(s) you program in and what tools you use. As an example, I’ll use SonarScanner for Maven and SonarJava to analyze the code quality of our fancy new BuildVu Microservice Example project.
To keep things simple, I’ll also be using the embedded database for storing reports. You’re strongly advised to use the embedded database for evaluation purposes only – it doesn’t scale, there’s no way to export data out into other database engines and it’ll be wiped every time you upgrade SonarQube. You can find tutorials on setting up a separate database here.
With that out of the way, getting started is easy:
- Download the latest version of SonarQube (7.0 was the latest version at the time of writing).
- When that’s finished downloading, unzip SonarQube into the directory you want to install it in. For example, I’ll be using
- Open up a terminal / command line window, then start up the SonarQube server using the command:
C:\sonarqube\bin\windows-x86-xx\StartSonar.bat(Don’t forget to change ‘xx’ to 32 or 64)
Mac / Linux:
- Once the server has started, open up your browser and go to
http://localhost:9000. You can login using the default System Admin credentials (admin / admin).
- Skip the on-screen tutorial – you can always go back and do it at a later date if you want to (It can be found in the ‘Help’ section). As we haven’t actually scanned any projects yet, you should see an empty screen.
- Modify your Maven settings.xml file to enable SonarQube for Maven.
- Finally, open up a command line / terminal window in the base directory of your Maven project and run the command
mvn clean verify sonar:sonarto scan your project. If you go back to the Project Overview page from earlier and refresh the page, you should now see your project appear!
Viewing the report:
Clicking on your project from the Project Overview page will show you an overview of the latest code quality snapshot for your project:
- > Under the project title, the “Issues” tab will show you a list of all the detected issues. You can filter and sort the data using the options on the left, and view more detail by clicking on each issue.
- > The “Measures” tab shows you many different graphs that visualize different bits of data such as security, reliability and coverage by unit tests.
- > The “Code” tab shows you each individual file in the project and provides data on each such as no. of bugs / code smells, duplicate code and total lines of code.
- > The “Activity” tab contains a graph which gives an overview of the total number of issues across each scan.
- > Last of all, the “Administration” tab lets you configure settings specific to the selected project.
That covers the basic setup and usage. From here, you could set up a Hudson / Jenkins job to automatically run scans, add email notifications to let people know when they introduce issues or expand SonarQube to include checks by tools such as CheckStyle, FindBugs and PMD.
Do you use SonarQube / SonarLint to manage code quality in your projects? Do you think it’s worth using, or that there’s a better alternative? Let us know your thoughts in the comments below.