SonarQube Tutorial comprises all details of this tool. I will start with the outline and then I will explain each topic one by one in detail.
SonarQube Tutorial Outline
We will look at requirements and prerequisites for SonarQube:
- What is code quality?
- What is SonarQube?
- Why SonarQube?
- How SonarQube works?
- Sonar Structure & CI
- SonarQube Features
- Cyclomatic Complexity
- Installation of SonarQube
- Java JDK
- You can also check prerequisites here
What is Code Quality?
I watched a presentation of Patroklos Papapetrou and I liked his description of code quality. He says that “Code quality is an indicator about how quickly developers can add business value to software system”
Software quality characteristics: ISO/IEC 9126
In order to evaluate software, it is necessary to select relevant quality characteristics. ISO/IEC 9126 defines a quality model which is applicable to every kind of software. It defines six product quality characteristics.
What is SonarQube?
Sonar is an open-source software quality platform. SonarQube saves the calculated measures in a database and showcases them in a rich web-based dashboard. Provides trends and leading indicators.
How Sonar Works?
Sonar uses various static & dynamic code analysis tools such as Checkstyle, PMD, FindBugs, FxCop, Gendarme, and many more to extract software metrics, which then can be used to improve software quality. Provides lots of plugins.
- Can also be used in Android development.
- Offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, potential bugs, comments, design, and architecture.
- Records metrics history and provides evolution graphs (“time machine”) and differential views.
- Provides fully automated analyses: integrates with Maven, Ant, Gradle, and continuous integration tools (Atlassian Bamboo, Jenkins, Hudson, etc.).
- Integrates with the Eclipse development environment
- Integrates with external tools: JIRA, Mantis, LDAP, Fortify, etc.
- Is expandable with the use of plugins.
- Implements the SQALE methodology to compute technical debt. (wiki)
What is static code analysis?
Computer code that is performed without actually executing programs. Source code will be checked for compliance with a predefined set of rules or best practices set by the organization.
Visual Studio has a built-in tool or this you can follow: In Solution Explorer, right-click the project, and then click Properties.
We can configure the rules or analyze
Technical debt is caused by the 7 deadly sins of the developer:
- Duplications: SonarQube has a copy/paste detection engine to find duplications
- Bad distribution of complexity: Cyclomatic complexity [wiki] (or McCabe metric)
- Spaghetti Design
- Lack of unit tests
- No coding standards
- Potential bugs
- Not enough or too many comments or incorrect comments
Cyclomatic Complexity was introduced by Thomas J. McCabe and is the most popular and widely accepted method of measuring code complexity. The metric defines a formula to calculate the complexity of code by taking into account all the possible independent paths that program flow could follow.
The complexity M is then defined as
- M = E − N + 2P
- E = the number of edges of the graph
- N = the number of nodes of the graph
- P = the number of connected components
Download SonarQube 5.3 (version in 2016) and MSBuild SonarQube Runner from the SonarQube from here.
Important Note: In 2021 April, the new versions are listed as follows:
SonarScanner for .NET(5.2): https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-msbuild/
We also need Java JDK 11 so you can visit and download it from here.
From now on, I will explain the installation for SonarQube 5.3 but you can apply it for the new SonarQube versions.
Right-click on sonarqube-5.3.zip, select Properties and then click on the Unblock button.
Unzip SonarQube-x.x.zip on to a folder, for example, use C:\SonarQube\SonarQube-5.3
You should see the files inside the extracted folder.
c:\sonar-5.3\bin\windows-x86-64\StartSonar.bat file using command-line.The expected output should look like
Tip: Can’t load AMD 64-bit .dll on a IA 32-bit platform
Error message says you need to install 64 bit java
I use MySQL as the database. It needs to create a new schema and a sonar user and I give the user permissions to create, update and delete objects in the schema.
Troubleshooting: for log checking log files located under sonarqube/logs
You can login using default user / password = admin / admin
Plugin installation: Update Center (Settings | System | Update Center), and installed the SonarQube C# Plug-in.
Now we need to install MS Build QubeRunner, you can download it here. First, need to be unblocked.
Now we need some modifications on SonarQube.Analysis.xml file.
Onur YAZIR is a Senior Software Testing & DevOps Engineer 10+ years of experience. He has worked Huawei, Ericsson, Vodafone, Several FinTech companies, Gulf News, and Emirates Airlines. You can find detailed information about him on his linked-in page.