Static code analysis- SonarQube open source Tool

-

Introduction

SonarQube is an open source product, produced by SonarSource SA, which consists in a set of static analyzers (for many languages), a data mart, and a portal that enables you to manage your technical debt. SonarSource and the community provide additional analyzers (free or commercial) that can be added to a SonarQube installation as plug-ins. SonarSource and Microsoft have been working to integrate SonarQube with MSBuild.

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security vulnerabilities. SonarQube can record metrics history and provides evolution graphs.

SonarQube includes support for the below programming languages 

Java, C#, PHP, JavaScript, TypeScript, C/C++, Ruby, Kotlin, Go, COBOL, PL/SQL, PL/I, ABAP, VB.NET, VB6, Python, RPG, Flex, Objective-C, Swift, CSS, HTML, and XML. 

Some of these are only available via a commercial license .I have verified  VB.NET, C#,JavaScript, CSS, HTML files and these are available in open-source.

Prerequisite

The only prerequisite for running SonarQube is to have Java (Oracle JRE 11 or OpenJDK 11) installed on your machine.

Installation Steps in developer machines

  • Download the SonarQube Community Edition  https://www.sonarqube.org/downloads/
  • Unzip it, let's say in C:\sonarqube 
  • Start the SonarQube Server by running below command at command prompt                                # On Windows, execute:
  • C:\sonarqube\bin\windows-x86-xx\StartSonar.bat                                                                            # On other operating systems, as a non-root user execute:
  • /sonarqube/bin/[OS]/sonar.sh console

Once the above .bat file runs on windows machine, by default sonarqube dashboard service will up and run on default port 9000. So, the url to see the dashboard is http://localhost:9000

Note: if you want to change the port number you can change it through the properties file which is at inside of sonarqube folder(C:\sonarqube)

4. Log in to http://localhost:9000 with System Administrator credentials (login=admin, password=admin)
5. Click the Create new project button to analyze your first project.

After we run StartSonar.bat file, SonarQube should be up and running!

Project analysis from the dashboard

The first thing we need to do is to create a new project


Then we need to generate a token that will be used for login purpose also to download sonar scanner for the targeted framework:
Now add its path as well as an MS-Build path to the environment path variable:


The only thing that's left to do now is to run given commands, one after another, from the root level of your project:


That's it ! Wait for a few minutes and the results will be displayed in the web portal i.e http://localhost:9000. Just don't be surprise if you get something like this:)


Project analysis from the project root folder

We can also do analysis from the project folder using below steps
  1. goto command prompt
  2. goto the root folder of project
  3. execute below commands
MSBuild.SonarQube.Runner.exe begin \k:<keyname> \n:<projectname> \v:<version> and press enter

MSBuild.exe /t:Rebuild

MSBuild.SonarQube.Runner.exe end and press enter to finish the analysis

After executing the above command then you will see below output


Integrating in Jenkins

  • open local jenkins url i.e http://localhost:8080/

  • Install SonarQube plug in
              goto Manage Jenkins->Manage plugins
  • Select Available tab and search for Sonar as like below

  •     After installing , got to Manage Jenkins->Global Tool Configuration
                 This step is mandatory if you want to trigger any of your analyses with the SonarScanner                     for MSBuild. You can define as many scanner instances as you wish. Then for each                             Jenkins job, you will be able to choose with which launcher to use to run the SonarQube                     analysis
  • Click on Add SonarScanner for MSBuild
  •  Add an installation of the latest available version. Check Install automatically to have the SonarScanner for MSBuild automatically provisioned on your Jenkins executors

Job Configuration

  • Configure the project, and go to the Build section.
  • Add the SonarScanner build step to your build.
  • Configure the SonarQube analysis properties. You can either point to an existing sonar-project.properties file or set the analysis properties directly in the Analysis properties field

For more details about how to set up Jenkins pipeline to run the sonar scanner on Git, pl referrer below url


Once the configuration done, click Build Now as like below



Once build starts then you can see how the sonar scanner invokes and analyse the code from the console output as like below





Comments

Post a Comment

Popular posts from this blog

Email Sending through O365 using OAuth Protocol

-
  Microsoft Office365 EWS servers have been extended to support authorization via the industry-standard OAuth 2.0 protocol. Using OAUTH protocol, user can do authentication by Microsoft Web OAuth instead of inputting user and password directly in application Microsoft / Office 365 OAuth + EWS We can use the OAuth authentication service provided by Azure Active Directory to enable our application to connect with IMAP, POP or SMTP protocols to access Exchange Online in Office 365. To use OAuth with our application we need to register application on Azure Active directory and other steps also we need to do to get the access token back. Below are the steps   To use Microsoft/Office365 OAUTH in your application, you must create an application in  https://portal.azure.com . Sign into the Azure portal using either a work or school account or a personal Microsoft account. If your account gives you access to more than one tenant, select your account in the top right corn
Read more

IISRESET vs App Pool Recycling ?

-
Image
 I think most IIS administrators know IISRESET command, and why they use it. One of possible reasons can be to restart IIS services to initialize web applications, or to apply some changes of applications & IIS settings .There’re just a few conditions those need your IISRESET command. In most situations, you don’t need this. I have a concern if you always run this command for applying any changes, or release system resource – memory – regularly, or frequently. Because it’s much more cost than what you really need to take – there’re side effects Recycling App Pool’ has been introduced from IIS6 in Windows2003. It’s designed to restart only application pools(=worker processes). It can be done in a command prompt(run ‘IISAPP /?’ in a command prompt for details), as well as in the IIS manager What IISRESET does? When you run IISRESET, many things will happen. In order to understand them, I think I need to show you how IIS looks like – about IIS core components. The below shows you role
Read more

Deploy .Net6.0 Web api with docker

-
Image
  What is Docker? Docker is a containerization platform, meaning that it enables you to package your applications into images and run them as “containers” on any platform that can run Docker. It negates the classic: “It works on my computer” argument as Docker images contain everything needed for the app to run. Are Containers the same as Virtual Machines? They are similar, but not the same. In short: Virtual Machines provide OS Level Virtualization Containers provide App Level Virtualization This concept is depicted below: Why Would You Use it? In short you would use Docker, (and hence containers), for the following reasons: Portability.  As containers are self- contained  they can run on any platform that runs Docker, making them easy to stand up and run on a wide variety of platforms. Scalability.  With the use of additional “orchestration” you can spin up multiple container instances to support increased load. Performance.  Containers generally perform better than their VM counterp
Read more