Hi all,
Today, we are discussing about a Static code Analysis Tool called SonarQube.This tool enables us to measure the quality of code. Taking a close look into the logo, see what they’ve done? Nicely put.
So, why is it necessary ?
- Ensure that good quality of code goes into Production
- Enables to enforce rules using Quality Gate
- Helps to identify Security Vulnerabilities, Duplications etc.
- Generates a report on the code quality
Now , lets see how we can do a local setup of Sonarqube and Sonar Scanner.
Prerequisites:
- Java
Link — https://www.oracle.com/java/technologies/javase/jdk17-archive-downloads.html
MSI Installer — https://download.oracle.com/java/17/archive/jdk-17.0.8_windows-x64_bin.exe
Ensure that the Java path is added to the Environment Variables.
Go to Settings > Edit Environment variables > Add > {path}
In my case it was : C:\Program Files\Java\jdk-17\bin
Installation Steps — High Level
- Install SonarqQube — For multiple project reports in a single place
- Install Sonar Scanner — Scanning code
SonarQube installation
SonarQube is a software that enables us to view multiple projects along with their Scan Reports. We can setup various Quality gates, fancy term which is basically to setup rules.
URL :
Once Sonarqube is installed, extract it to a folder :
sonarqube-10.2.0.77647\bin\windows-x86–64
Run StartSonar.bat
Now we can see that Sonarqube is up on localhost:9000 , 9000 being the default port.
For testing, I have added a sample python file to a new directory to store the code. Path — C:\Users\Linu\sonar-python\main.py
SonarScanner Installation
Install Sonar Scanner from here :
I have installed it for Windows.
Now , we need to add the environment variable for sonar-scanner. Just like we did for Java earlier.
To verify, do sonar-scanner -h from any directory.
In Sonar Scanner, we can see a folder — conf which has a sonar-scanner.properties file. Suppose we want to override some values, we can update the file there.
For now, I have just added some properties with respect to my Project.
For sonar.sources , Replace "\" by "/" on Windows.
Now that we have setup SonarQube and sonar scanner, lets go to the SonarQube URL by typing localhost:9000 on the browser.
It brings up to the homepage of SonarQube. As a first time activity, it will ask us to update password . Next, lets create a project. Select Create Locally option.
I have given as test-app for both. Ideally you should be giving a meaningful name, but since this was for demo purpose, I am giving as test-app. We can give our custom rule on when the code has to be scanned (based on dates or when new version is uploaded)
Further on , it would ask for the OS type and the Language used for the code. It then generates a command that you can directly run on the directory where the code is stored. This is an alternative , where you specify the arguments on CLI .
Next , lets run the sonar scanner.
Since we have already specified the sonar properties , we can just run sonar-scanner
We can see the code quality output as shown below. Since I have used a simple code just for test purpose , it passed without any issues or vulnerabilities.
By default sonar way is the default quality gate created and used. Sonar way uses ‘Clean as you Code’ , ensuring highest level of code quality , which is ideal. However, if you want to cut some slack during the initial runs of code, we can create a custom Quality Gate like so. It can even be set to default.
Now we know the basics of SonarQube. That’s all for this week . Until next post :)
Cheers!
