SonarQube is an open-source tool that helps developers perform code quality analysis.
As part of the practice of shifting left, we want to not only test as early as possible, but evaluate the quality of our code as early as possible. One element of this practice is the code review (or peer review), where another developer or a supervisor reviews a developer's code for security, readability, maintainability, and correctness.
However, a human being is not required to effectively review several aspects of the code. We can delegate these responsibilities to static code analysis, leaving our peers or supervisors to look at the higher-level questions.
CTC's static code analysis tool is SonarQube, one of the industry leaders. It supports all of the development languages commonly used at CTC, as well as a number of less common languages. Delivery squads are expected to integrate SonarQube into their Continuous Integration (CI) pipeline. At a minimum, static code analysis should be performed before the code is integrated into the main branch. Cloud Ops and Automation (CO&A) includes SonarQube analysis in its Jenkins Arcus CI pipeline, and IT Practices will provide an Azure Pipelines template for running SonarQube from Azure DevOps.
SonarQube identifies issues that get unknowingly introduced in the code like un-used variables, missed exceptions, etc. It can scan code for 20+ languages including C#, Java, Python, etc and suggests recommendations to be implemented.
| Static Code Analysis examples | Peer/Supervisor Review examples |
|---|---|
|
|
Following below steps to get started with SonarQube
- Access the tool link using your AD credentials
- Post successful login, you will be able to view the tool's homepage
- Create a New Project
- Download Sonar Scanner for the targeted framework (like Java, C# or VB.NET, etc) for your application
- Declare the scanner path as an Environment Variable and configure the same with your build tool like MS-Build, Maven, etc
- Now, when you build application code, the scanner will scan the code for vulnerabilities, coverage, duplications, lines of code, etc and push this information to Sonar homepage / dashboard.
SonarQube Dashboard
The SonarQube Homepage / Dashboard is a single pane to view "Code Quality". Every time application code is built, the scanner analyzes the information and pushes data to Sonar Server against your project. SonarQube version 7.x displays the default metrics -
- Sizing (LOC, % Duplicates, etc)
- Security (vulnerabilities)
- Complexity (cyclomatic complexity)
- Coverage (condition coverage, line coverage, etc)
- Reliability Rating (bugs, new bugs, etc)
- You can customize the widgets on the dashboard and also add/remove the widgets that are needed.
