Static code analysis- SonarQube open source Tool

-

Introduction

SonarQube is an open source product, produced by SonarSource SA, which consists in a set of static analyzers (for many languages), a data mart, and a portal that enables you to manage your technical debt. SonarSource and the community provide additional analyzers (free or commercial) that can be added to a SonarQube installation as plug-ins. SonarSource and Microsoft have been working to integrate SonarQube with MSBuild.

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security vulnerabilities. SonarQube can record metrics history and provides evolution graphs.

SonarQube includes support for the below programming languages 

Java, C#, PHP, JavaScript, TypeScript, C/C++, Ruby, Kotlin, Go, COBOL, PL/SQL, PL/I, ABAP, VB.NET, VB6, Python, RPG, Flex, Objective-C, Swift, CSS, HTML, and XML. 

Some of these are only available via a commercial license .I have verified  VB.NET, C#,JavaScript, CSS, HTML files and these are available in open-source.

Prerequisite

The only prerequisite for running SonarQube is to have Java (Oracle JRE 11 or OpenJDK 11) installed on your machine.

Installation Steps in developer machines

  • Download the SonarQube Community Edition  https://www.sonarqube.org/downloads/
  • Unzip it, let's say in C:\sonarqube 
  • Start the SonarQube Server by running below command at command prompt                                # On Windows, execute:
  • C:\sonarqube\bin\windows-x86-xx\StartSonar.bat                                                                            # On other operating systems, as a non-root user execute:
  • /sonarqube/bin/[OS]/sonar.sh console

Once the above .bat file runs on windows machine, by default sonarqube dashboard service will up and run on default port 9000. So, the url to see the dashboard is http://localhost:9000

Note: if you want to change the port number you can change it through the properties file which is at inside of sonarqube folder(C:\sonarqube)

4. Log in to http://localhost:9000 with System Administrator credentials (login=admin, password=admin)
5. Click the Create new project button to analyze your first project.

After we run StartSonar.bat file, SonarQube should be up and running!

Project analysis from the dashboard

The first thing we need to do is to create a new project


Then we need to generate a token that will be used for login purpose also to download sonar scanner for the targeted framework:
Now add its path as well as an MS-Build path to the environment path variable:


The only thing that's left to do now is to run given commands, one after another, from the root level of your project:


That's it ! Wait for a few minutes and the results will be displayed in the web portal i.e http://localhost:9000. Just don't be surprise if you get something like this:)


Project analysis from the project root folder

We can also do analysis from the project folder using below steps
  1. goto command prompt
  2. goto the root folder of project
  3. execute below commands
MSBuild.SonarQube.Runner.exe begin \k:<keyname> \n:<projectname> \v:<version> and press enter

MSBuild.exe /t:Rebuild

MSBuild.SonarQube.Runner.exe end and press enter to finish the analysis

After executing the above command then you will see below output


Integrating in Jenkins

  • open local jenkins url i.e http://localhost:8080/

  • Install SonarQube plug in
              goto Manage Jenkins->Manage plugins
  • Select Available tab and search for Sonar as like below

  •     After installing , got to Manage Jenkins->Global Tool Configuration
                 This step is mandatory if you want to trigger any of your analyses with the SonarScanner                     for MSBuild. You can define as many scanner instances as you wish. Then for each                             Jenkins job, you will be able to choose with which launcher to use to run the SonarQube                     analysis
  • Click on Add SonarScanner for MSBuild
  •  Add an installation of the latest available version. Check Install automatically to have the SonarScanner for MSBuild automatically provisioned on your Jenkins executors

Job Configuration

  • Configure the project, and go to the Build section.
  • Add the SonarScanner build step to your build.
  • Configure the SonarQube analysis properties. You can either point to an existing sonar-project.properties file or set the analysis properties directly in the Analysis properties field

For more details about how to set up Jenkins pipeline to run the sonar scanner on Git, pl referrer below url


Once the configuration done, click Build Now as like below



Once build starts then you can see how the sonar scanner invokes and analyse the code from the console output as like below





Comments

Post a Comment

Popular posts from this blog

Email Sending through O365 using OAuth Protocol

-
  Microsoft Office365 EWS servers have been extended to support authorization via the industry-standard OAuth 2.0 protocol. Using OAUTH protocol, user can do authentication by Microsoft Web OAuth instead of inputting user and password directly in application Microsoft / Office 365 OAuth + EWS We can use the OAuth authentication service provided by Azure Active Directory to enable our application to connect with IMAP, POP or SMTP protocols to access Exchange Online in Office 365. To use OAuth with our application we need to register application on Azure Active directory and other steps also we need to do to get the access token back. Below are the steps   To use Microsoft/Office365 OAUTH in your application, you must create an application in  https://portal.azure.com . Sign into the Azure portal using either a work or school account or a personal Microsoft account. If your account gives you access to more than one tenant, select your account in the top right corn
Read more

IoT Technology

-
Image
IoT technology The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines.  IoT is a network of sensors where data is exchanged, using different connectivity protocols, with systems. This set up can be leveraged to create a new business application or to enhance an existing process. The exchange of the data can be bi-directional between sensors and systems Examples of sensors can be temperature sensors, motion sensors, flow meters, heart meter monitors, biometric devices, smoke detectors, & etc Examples of connectivity can be wifi, radio, GPRS, GSM, LAN, WAN, & etc. Examples of systems can be a remote health monitoring applications, SCADA applications, etc Look at next slide about the complete flow of IoT process Examples A doctor in US would like to monitor the heart rate and ECG of a patient in Hyderabad. This is done with the patient having sensors attached to him that collect the ECG data and the heart r
Read more

What is reverse proxy?

-
Image
  What is a reverse proxy? A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers. Reverse proxies are typically implemented to help increase  security ,  performance , and reliability . In order to better understand how a reverse proxy works and the benefits it can provide, let’s first define what a proxy server is. What’s a proxy server? A forward proxy, often called a proxy, proxy server, or web proxy, is a server that sits in front of a group of client machines. When those computers make requests to sites and services on the Internet, the proxy server intercepts those requests and then communicates with web servers on behalf of those clients, like a middleman. For example, let’s name 3 computers involved in a typical forward proxy communication: A: This is a user’s home computer B: This is a forward proxy server C: This is a website’s origin server (where the website data is stored) In a standard Internet c
Read more