Introduction

Sonarqube (and its cloud-based version, Sonarcloud) is an extremely useful platform that performs static code analysis to evaluate the quality of an entire codebase. It can help to discover bugs, vulnerabilities and bad practices in general. It also allows us to compute code coverage by relying on some well-known plugins. Technically, Sonarqube is a server that can store the results of code analysis

At Ensolvers, we use Sonarcloud in all our projects to ensure the best quality possible in our codebases. In this artcile we describe how we can start using it in an existing Java project.

Configuring Static Code Analysis

The first step is to add some required plugins to the Maven pom.xml file - in the <plugins> section

Here we add the "scanner" component of Sonarqube, which is basically a Maven plugin that allows to run the static code analysis via a Maven goal. After this, we can simply run an analysis by running the Maven sonar:sonar goal with the following parameters

The variables described in this invocation must be configured previously in Sonarqube. They describe where (host) the Sonarqube server can be found, the name of the organization and project (to identify it uniquely and upload the results under it) and an auth token. Depending on whether we decide to use an on-premises or SaaS (Sonarcloud) installation the way of obtaining them might vary.

Independently of that, in our case, we also made a full-fledged script to run the code analysis periodically and notify the entire team of the current "quality gate" (general quality measure configured in Sonarqube) of the project. This way, if some critical bug or vulnerability appears, the quality gate score is reduced and the entire team is aware of that

Adding test coverage analysis

Sonarqube also allows publishing testing coverage metrics by making use of JaCoCo - which is an open-source code coverage analysis library.

First of all, we need to ensure that we have the proper plugins on our POM:

The Surefire plugin is needed to run the tests just before the Maven Sonarqube plugin is executed to generate test reports that will be included in the report. For more information about the Surefire plugin, you can visit the Maven Surefire Plugin page.

The second step for integrating code coverage into our setup is to add JaCoCo as a plugin into the POM

Some notes on this:

• The maven goal “prepare-agent” allows coverage info to be collected during unit tests execution.
• The maven goal “report-aggregate”  is necessary for Jacoco to work with multi module maven projects.

Now we can run the code coverage analysis by running the next two commands: 

With the first command we generate the data that Sonarqube needs to run the analysis. The second command just run the code analysis, as we have already seen.

Note: Before running the commands make sure you have set the JACOCO_VERSION variable whose value is the version of JaCoCo you installed. And of course the other variables too.

Running Sonarqube Locally

If you want to experiment with Sonarqube and your repository is a private one (which is a limitation for using Sonarcloud in their free version), you can run a Sonarqube server locally on your own. First of all, no changes need to be done on the client side: all scripts, plugins, etc. remain the same. The dependencies are the same we use for sonarcloud. Same dependencies for pom.xml. 

With Docker, running a local Sonarqube server is as simple as running

Then we just need to:

1. Login to Sonarqube in localhost:9000 (default credentials are admin both for the username and password).
2. Create a project manually 
3. Generate a new token: Go to User > My Account > Security.
4. Make sure you have the next environment variables setted in your terminal:

1. SONAR_TOKEN = <generated-token>
2. SONAR_HOST=http://localhost:9000
3. SONAR_PROJECT_KEY= <project-key>
4. SONAR_ORGANIZATION= <project-key>

‍