An introduction on using SonarQube

Home > Blogs > Quality and Security > An introduction on using SonarQube
Posted by: Sean Malloy
Category: Quality and Security, SonarQube
An Introduction on SonarQube1.1

An Introduction on SonarQube

SonarQube is a Code Quality Assurance tool that collects and analyzes source code, and provides reports for the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continually over time. Everything from minor styling choices, to design errors are inspected and evaluated by SonarQube. This provides users with a rich searchable history of the code to analyze where the code is messing up and determine whether or not it is styling issues, code defeats, code duplication, lack of test coverage, or excessively complex code. The software will analyze source code from different aspects and drills down the code layer by layer, moving module level down to the class level, with each level producing metric values and statistics that should reveal problematic areas in the source code that needs improvement. 

Sonarqube also ensures code reliability, Application security, and reduces technical debt by making your code base clean and maintainable. Sonarqube also provides support for 27 different languages, including C, C++, Java, Javascript, PHP, GO, Python, and much more.SonarQube also provides Ci/CD integration, and gives feedback during code review with branch analysis and pull request decoration.

Software Quality Measurement

When creating software, the code should have the following characteristics:

  1. The code should follow a specific convention
  2. The code should be following established good practices and have been followed
  3. Checked for potential bugs and performance, security, or vulnerabilities issues
  4. Is the code duplicated anywhere
  5. Does the code make logical sense, or is it too complex
  6. Does the public API have good documentation and comments
  7. Does the code have unit tests
  8. Doe the code follow good software design and architecture principles. 

We can enforce these coding standards automatically by two methods: Static code analysis or Dynamic code analysis. To explain them quickly:

Dynamic code analysis

Dynamic Code Analysis relies on studying how the code behaves during execution. The objective is to find errors in a program while it is running, rather than by repeatedly examining the code offline. 

Some things that Dynamic code analysis does are:

  1. Code Coverage: Computing how much a piece of code gets tested by test suites
  2. Memory error detection: Checking whether or not memory leaks or errors occur
  3. Fault localization: Locating the buggy code to a specific location
  4. Invariant Inference: Observes the values that the program computes, and then report properties that were true over the observed executions, and this likely true over all executions. 
  5. Security Analysis: Detect security problems. 
  6. Concurrency errors: Dynamic Uses runtime error detection to expose defects such as race conditions, exceptions, resource and memory leaks, and security attack vulnerabilities
  7. Program slicing: Consists of reducing the program to the minimum form that still produces the selected behavior. 
  8. Performance Analysis: dynamically tracing software applications at runtime and captures data that can be used to analyze and identify the causes of poor performance. 

Static Code Analysis

Static code analysis is done without executing any of the code. It is a collection of algorithms and techniques to analyze source code to automatically find potential errors and poor coding practices. This is done with compiler errors and run-time debugging techniques such as white box testing. Static code analysis is also considered a way to automate code review process. The tasks involved in static code analysis can be divided as such:

  1. Detecting errors in programs
  2. Recommendations on code formatting with a formatter
  3. Metrics computation, which gives you back a rating on how well your code is.

Popular tools for static Code Analysis are Checkstyle, PMD, and FindBugs. 

SonarQube benefits

So Why SonarQube 

So why not just existing and proven tools and configure them in the CI server ourselves? Well for SonarQube there are a lot of benefits:

  • CI tools do not have a plugin which would make all of these tools work easily together
  • CI tools do not have plugins to provide nice drill-down features that SonarQube has
  • CI Plugins does not talk about overall compliance value
  • CI plugins do not provide managerial perspective
  • There is no CI plugin for Design or Architectural issues
  • CI plugins do not provide a dashboard for overall project quality

Features of SonarQube are:

  • Doesn’t just show you what’s wrong, but also offers quality and management tools to actively helps you correct issues
  • Focuses on more than just bugs and complexity and offers more features to help the programmers write code, such as coding rules, test coverage, de-duplications, API documentation, and code complexity all within a dashboard
  • Gives a moment-in-time snapshot of your code quality today, as well as trends of past and potentially future quality indicators. Also provides metrics to help you make the right decisions

Getting Started 

There are a few tiers to SonarQube, which will depend on how much you want the software to do and for what level of development you want to do with the software. A brief breakdown is as follows:

  • Community edition: The starting point for adopting code quality in CI/CD
  • Developer Edition: Maximum Application security, and value from SonarQube across branches and PRS
  • Enterprise Edition: Manage application portfolio, enable code quality and security at an enterprise level
  • Data Center Edition: High Availability for global deployments

To install SonarQube on locally to analyze a project, you have two different methods: Installing SonarQube from a zip file, or from a docker image

Getting SonarQube from a Zip file

  • You can download the SonarQube community edition zip file from here: https://www.sonarqube.org/downloads/
  • As a non-root user, unzip it in any file location you want it in, such as c:/sonarqube or /opt/sonarqube
  • Start the SonarQube server: 
    on windows: C:\sonarqube\bin\windows-x86-64\StartSonar.bat 
    On other operating systems: /opt/sonarqube/bin/[OS]/sonar.sh console
  • Login to http://localhost:9000 with the following credentials for system admin: (admin/admin)

Getting SonarQube from a Docker Image

docker run -d --name sonarqube -p 9000:9000 <image name>
  • Login to http://localhost:9000 with the following credentials for system admin: (admin/admin)

Analyzing a project with SonarQube

Once you are logged into sonarqube, to analyze a project follow the following steps:

  1. Click create new project button
  2. When asked How do you want to create your project, select Manually.
  3. Give your project a Project key and a Display name and click the Set Up button.
  4. Under Provide a token, select Generate a token. Give your token a name, click the Generate button, and click Continue.
  5. Select your project’s main language under Run analysis on your project, and follow the instructions to analyze your project. Here you’ll download and execute a Scanner on your code (if you’re using Maven or Gradle, the Scanner is automatically downloaded).

After successfully analyzing your code, you’ll see your first analysis on SonarQube

Architecture and Integration

The SonarQube platform comprises of 4 components:

  1. SonarQube Server comprising of the following processes:
    1. Web Servers for developers which allows managers to browse quality snapshots and configure the SonaQube instances
    2. Search Server based on Elastic search to back searches from the UI
    3. Compute engine server in charge of processing code analysis reports and saving them in the SOnarQube database 
  2. SonarQube Database which stores:
    1. The configuration of the SonarQube instance
    2. The quality snapshots of projects, views, etc.
  3. SonarQube plugins installed on the server, possibly including language, SCM, integration, authentication, and governance plugins
  4. SonarScanners running on your Build/Continuous integration servers to analyze a project

About machines and locations:

  • The SonarQube platform cannot have more than one SonarQube server (unless clustered), and one SonarQube database
  • For optimal performance, each component should be installed on separate machines and the server machine should be dedicated
  • SonarScanners scale by adding machines
  • All machines must be time-synchronized
  • SonarQube server and SonarQube Database must be located in the same network
  • SonarScanners don’t need to be on the same network as the SonarQube Server
  • There is no communication between SonarScanners and the SonarQube Database. 

To integrate SonarQube on a production environment, follow these steps:

  1. Developers code in their IDEs and use SonarLint to run local analysis
  2. Developers push their code to their favorite SCM
  3. The Continuous Integration Server triggers an automatic build, and the execution of the Sonar Scanner required to run the SonarQube Analysis 
  4. The analysis report is sent to the SonarQube Server for processing
  5. SonarQube server processes and stores the analysis report results in the SonarQube Database and displays the results in the UI
  6. Developers review, comment, challenge their issues to manage and reduce their Technical Debt through SonarQube UI
  7. Managers receive reports from the analysis, Ops use APIs to automate the configuration and extract data from SonarQube, and ops use JMX to monitor SonarQube Servers.

Installing a Plugin

There are two options to install a plugin into SonarQube: marketplace and manual installation 

To install a plugin from the Marketplace

If you have access to the internet and you are connected with a SonarQube user having the Global Permission “Administer System” you can go to Administration > Marketplace (To learn more about the marketplace, go here: https://docs.sonarqube.org/latest/instance-administration/marketplace/)
Then you can find the plugin you want to install from the marketplace, and click on install and wait for the download to be processed. Once the download is complete, a restart button will be available to restart your instance

To manually install a plugin

In the page dedicated to the plugin, you want to install (IE SonarPython), click on the “Download” link of the version compatible with your version of SonarQube, then put the downloaded jar file in $SONARQUBE_HOME/extensions/plugins, removing any previous versions of the same plugin that may be present.
Once done you will need to restart SonarQube. 

Python specific properties

Supported Versions

The supported versions of Python compatible with SonarQube are:

  • Python 2.X
  • Python 3.X

Properties

To discover and update the Python-specific properties, go to Administration > General Settings > Python

Some things that could be changed are:

pylint

An external static code analyzer, and be used in conjunction with SonarSource Python Analyzer. 

  1. You can enable Pylint rules by going to your python quality profile. Their rule keys start with “Pylint” once the rules are activated, you should run Pylint and import its report. Then pass the generated report path to analysis via the sonar.python.pylint.reportPath property.
pylint <module_or_package> -r n --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" > <report_file>

Custom Rules

The Python analyzer parses the source code, creates an Abstract Syntax Tree (AST) and then walks through the entire tree. A coding rule is a visitor that is able to visit nodes from this AST. 
As soon as the coding rule visits a node, it can navigate its children and log issues if necessary.

Custom rules for Python can be added by writing a SonarQube Plugin and using Python Analyzer APIs.

The steps are as follows to create a SonarQube Plugin:

  1. create a standard SonarQube plugin project.
  2. attach this plugin to the SonarQube Python analyzer through the pom.xml:
    1. add the dependency to the Python analyzer.
    2. add the following line in the sonar-packaging-maven-plugin configuration.

      <requirePlugins>python:2.0-SNAPSHOT</requirePlugin>
  3. Implement the following extension points:
    1. Plugin Templating: http://javadocs.sonarsource.org/latest/apidocs/org/sonar/api/Plugin.html
    2. RulesDefinition for SonarQube plugins: http://javadocs.sonarsource.org/latest/apidocs/org/sonar/api/server/rule/RulesDefinition.html
    3. PythonCustomRuleRepository which can be implemented by a single class, to declare your custom rules: https://github.com/SonarSource/sonar-python/blob/master/python-frontend/src/main/java/org/sonar/plugins/python/api/PythonCustomRuleRepository.java
  4. Declare the RulesDefinition as an extension in the Plugin extension point.

To implement a Rule:

  1. create a class that will hold the implementation of the rule, it should:
    1. extend PythonCheckTree or PythonSubscriptionCheck.
    2. define the rule name, key, tags, etc. with Java annotations.
  2. declare this class in the RulesDefinition

mm
Author: Sean Malloy
Sean Malloy is working as an Automation Engineer at Crest Data Systems. Sean has worked on multiple automation and 508 Compliance projects for Splunk. Before joining Crest, Sean worked as an intern twice at SAP and has led multiple projects as part of his internship for Machine Learning and web development. Sean holds a Bachelor's degree from UC Davis.