SonarQube Tutorial All Details with Examples! [2021 Update]

SonarQube Tutorial comprises all details of this tool. I will start with the outline and then I will explain each topic one by one in detail.

SonarQube Tutorial Outline

We will look at requirements and prerequisites for SonarQube:

  • What is code quality?
  • What is SonarQube?
  • Why SonarQube?
  • How SonarQube works?
  • Sonar Structure & CI
  • SonarQube Features
  • Cyclomatic Complexity
  • Installation of SonarQube

Prerequisites

  • SonarQube
  • Java JDK
  • You can also check prerequisites here

What is Code Quality?

I watched a presentation of Patroklos Papapetrou and I liked his description of code quality. He says that “Code quality is an indicator about how quickly developers can add business value to software system”

code_quality_2016-01-26_15-32-19

Software quality characteristics: ISO/IEC 9126

In order to evaluate software, it is necessary to select relevant quality characteristics. ISO/IEC 9126 defines a quality model which is applicable to every kind of software. It defines six product quality characteristics.

iso9126_1_modelo_calidad_thumb[fusion_builder_container hundred_percent=

What is SonarQube?

Sonar is an open-source software quality platform. SonarQube saves the calculated measures in a database and showcases them in a rich web-based dashboard. Provides trends and leading indicators.

How Sonar Works?

Sonar uses various static & dynamic code analysis tools such as Checkstyle, PMD, FindBugs, FxCop, Gendarme, and many more to extract software metrics, which then can be used to improve software quality. Provides lots of plugins.

Sonar Structure

sonar_structure_2016-01-26_21-32-53

Sonar CI

sonar_CI_2016-01-26_21-33-42

SonarQube Features  

  • Supports languages: Java, C/C++, Objective-C, C#, PHP, Flex, Groovy, JavaScript, Python, PL/SQL, COBOL, etc. (note that some of them are commercial)
  • Can also be used in Android development.
  • Offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, potential bugs, comments, design, and architecture.
  • Records metrics history and provides evolution graphs (“time machine”) and differential views.
  • Provides fully automated analyses: integrates with Maven, Ant, Gradle, and continuous integration tools (Atlassian Bamboo, Jenkins, Hudson, etc.).
  • Integrates with the Eclipse development environment
  • Integrates with external tools: JIRA, Mantis, LDAP, Fortify, etc.
  • Is expandable with the use of plugins.
  • Implements the SQALE methodology to compute technical debt. (wiki)

What is static code analysis?

Computer code that is performed without actually executing programs.  Source code will be checked for compliance with a predefined set of rules or best practices set by the organization.

Visual Studio has a built-in tool or this you can follow:  In Solution Explorer, right-click the project, and then click Properties.

code_analyze_2016-01-27_22-03-05

We can configure the rules or analyze

static_analyze_2016-01-27_22-01-18

Technical debt is caused by the 7 deadly sins of the developer:

  1. Duplications: SonarQube has a copy/paste detection engine to find duplications
  2. Bad distribution of complexity: Cyclomatic complexity [wiki] (or McCabe metric)
  3. Spaghetti Design
  4. Lack of unit tests
  5. No coding standards
  6. Potential bugs
  7. Not enough or too many comments or incorrect comments

Cyclomatic Complexity was introduced by Thomas J. McCabe and is the most popular and widely accepted method of measuring code complexity. The metric defines a formula to calculate the complexity of code by taking into account all the possible independent paths that program flow could follow.
The complexity M is then defined as

M = EN + 2P

where

E = the number of edges of the graph
N = the number of nodes of the graph
P = the number of connected components

Installing SonarQube

Download SonarQube 5.3 (version in 2016) and MSBuild SonarQube Runner  from the SonarQube from here.

Important Note: In 2021 April, the new versions are listed as follows:

SonarQube(8.8): https://www.sonarqube.org/downloads/

SonarScanner for .NET(5.2): https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-msbuild/

We also need Java JDK 11 so you can visit and download it from here.

From now on, I will explain the installation for SonarQube 5.3 but you can apply it for the new SonarQube versions.

Right-click on sonarqube-5.3.zip, select Properties and then click on the Unblock button.

Unzip SonarQube-x.x.zip on to a folder, for example, use C:\SonarQube\SonarQube-5.3

You should see the files inside the extracted folder.

2015-10-02_17-29-47

Execute c:\sonar-5.3\bin\windows-x86-64\StartSonar.bat file using command-line.The expected output should look like

sonar_is_up_2016-01-25_17-48-58

Tip: Can’t load AMD 64-bit .dll on a IA 32-bit platform

 Error message says you need to install 64 bit java

Database Integration

I use MySQL as the database. It needs to create a new schema and a sonar user and I give the user permissions to create, update and delete objects in the schema.

sonar_db2016-01-25_17-54-37

Troubleshooting: for log checking  log files located under  sonarqube/logs 

sonar_logs_2016-01-24_22-48-42

You can login using default user / password = admin / admin

sonar_2016-01-20_14-21-10

sonar_default_rule_2016-01-20_14-22-55

Plugin installation: Update Center (Settings | System | Update Center), and installed the SonarQube C# Plug-in.

sonar_update_center2016-01-20_14-51-37

Now we need to install MS Build QubeRunner, you can download it here. First, need to be unblocked.

 unblock

Now we need some modifications on SonarQube.Analysis.xml  file.

sonar.jdbc.url
sonar.jdbc.username
sonar.jdbc.password

sosnarqube_analysis

Thanks.
Onur Yazir

1 thought on “SonarQube Tutorial All Details with Examples! [2021 Update]”

  1. Hi,
    can we use this for standalone app..and can you brief me about charterstics of sonar qube. what is the main diff b/w sonar and selenium?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.