SonarQube tutorial: Get started with continuous inspection

Continuous integration with tools like Jenkins has become the norm in order for organizations to transition into full-scale continuous delivery; to become a universally adopted phenomenon, though, software developers must constantly try to shift left. Developers need to move the tasks that traditionally occurred toward the end of the software development lifecycle to the beginning.

One of the easiest ways to shift left is to incorporate static code analysis tools, like SonarQube, into the early stages of development and bind continuous inspection with CI. This SonarQube tutorial will demonstrate just how easy it is to incorporate continuous inspection into your Maven builds.

What is SonarQube?

Formerly known simply as Sonar, SonarQube is an open source tool that can inspect both the source code and the compiled code of over 20 different languages, including JavaScript, C#, Kotlin and Objective-C. It generates a variety of reports that fall into several compartmentalized categories. The steps to install, configure and run SonarQube work for all languages.

SonarQube metrics

Continuous inspection of code generates SonarQube metrics that fall into seven categories They're often referred to professionally as the seven axes of code quality, or more colloquially as the software developer's seven deadly sins. Those seven deadly SonarQube metrics are:

  1. Common anti-patterns and coding flaws that can lead to bugs: These SonarQube metrics are similar to what static code analysis tools, such as PMD and FindBugs, typically report.
  2. Breaches of coding standards and conventions: These SonarQube metrics are similar to what might be generated by the Maven CheckStyle Plugin.
  3. Copy and pasting of code: This causes needless bloat and duplication.
  4. A lack of unit tests and less-than-satisfactory unit test code coverage: This is similar to the type of metrics generated by the JaCoCo Maven Plugin.
  5. Excessive code complexity: This is indicated by a McCabe cyclomatic complexity calculation performed on the source code.
  6. A spaghettilike design: This makes tracing application flow difficult.
  7. A lack of comments or too many comments: Nobody is quite sure if it's good or bad to comment code. Whichever side of the fence you sit on, there's a SonarQube metric to help you quantify what is going on in the code base.

SonarQube download and installation

There are many ways to configure SonarQube. You can deploy the tool to an application server, such as Tomcat or WebSphere Liberty, or use an external database to persist continuous inspection results. But, for this SonarQube tutorial, we will perform a simple and basic installation. You simply need to download the SonarQube Community Edition and extract the compressed file to a sensible location on the hard drive. In this SonarQube tutorial, the binaries are unzipped to a folder named C:\_sonarqube-7.2.1.

The SonarQube continuous inspection tool starts by finding the startsonar batch or shell script. This script can be found under the architecture-specific subdirectory in the installation's bin folder. On a Windows 32-bit machine, the command would be executed as follows:

C:\_sonarqube-7.2.1\bin\windows-x86-32> startsonar.bat
windows command
Locate the initial script here in the architecture-specific subdirectory.

SonarQube administration

With the SonarQube continuous inspection tool up and active, you can log in to the administrative console by passing the credentials admin:admin to a web browser pointed at localhost:9090.

After logging in, SonarQube will first ask you to generate an authentication token and then ask you which language you intend to use: C#, Kotlin, JavaScript or some other popular option. In the second SonarQube tutorial, we will inspect Java code.

Finally, the tool asks which build technology you'll use. After selecting Maven, the tool provides the URL you need to trigger the SonarQube Maven Plugin.

provide token
Select Maven as your build technology.

With SonarQube installed and configured and the administrative console up and active, the tool is ready to begin inspecting source code and reporting on a variety of SonarQube metrics. In part two of this SonarQube tutorial, we will demonstrate how to use the SonarQube Maven Plugin to integrate Java source code with the static code analysis capabilities of the tool.

View All Videos