SonarQube Guide: Improve Code Quality and Code Security

“Programs should be written and polished until they acquire publication quality.” — Niklaus Wirth (Swiss Computer Scientist)

Source: https://4.bp.blogspot.com/-NSt8-fdedCA/XNhZFIO-6bI/AAAAAAAAPH0/UtHoWYNyXYg-kzVBu6E4O-BMYP-7GlQNACLcBGAs/s1600/SonarQubeIcon.png

In developing a software project, we need a static analysis to provide an objective picture of software quality. The analysis is the result of using quantitative benchmarks based on the standards of a programming language and the latest best practices in the software development industry.

What is SonarQube?

SonarQube is an automated code review platform for performing static analysis of software projects. SonarQube can integrate with workflows in multiple projects in continuous code checking. Sonarqube not only supports 29 programming languages such as Java, Python, and Ruby, but also supports CI/CD integration in DevOps. In addition, Sonarqube is able to detect bugs, vulnerabilities, and code smells in the codebase. With these capabilities, this tool can ensure the reliability, security, and maintainability of the applications and codebases they have.

What are SonarQube features?

• SonarQube shows us where we went wrong with a clear description. It also offers quality and management tools actively to assist in fixing problems
• Errors that are checked include bugs, writing that doesn’t match best practice, duplication, and complexity. The error is shown statistically and the location of the error is given so that we don’t need to be confused to look for it. We can also be given information about the coverage of the tests that we have done in our project.
• Provides a snapshot of current code quality and trending code quality indicators.

How does SonarQube look?

Display of an application in SonarQube

How to use SonarQube locally using Docker in Windows?

• First, we have to download docker for windows and do the setup on your local. Here is the link https://docs.docker.com/desktop/windows/install/
• Then, we have to pull the sonarqube images and sonar scanner from docker hub

docker pull sonarqube:latest
docker pull sonarsource/sonar-scanner-cli:latest

• After that you have pulled everything, you can run the sonarqube server using the docker command on your localhost, exactly on port 9000

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

• Then we open the URL, http://localhost:9000
• After that, a login page will appear that requires a username and password. When you first use this SonarQube, the credentials you can use:

username: admin
password: admin

After you are authenticated, you are asked to change your password. Then, your SonarQube is now ready to be used.

How to put our project in SonarQube Locally?

In this case, I will show you steps of putting my own project in SonarQube manually.

• First, you need to go to Projects tab and you should click ‘Create Project’ and choose manually option

Create Project manually

• Then, you need to fill in the project name and key.

Project name and key

• Then, we will be asked on how do I want to analyze your repository. I choose it locally.

Analyze locally

• After that, you will be asked to generate a new token or use existing token that you made before. I choose to generate a new one, then you will get the token after you generate it.

Generate new token

• In this case, I want to analyze my front end project using React framework which is JavaScript. Then, I will choose the Other one and Windows as my OS. After that, you will get code to execute our SonarQube project.

Option Analysis for Our Project

• Then, you need to copy the script and paste it on your terminal.

Run the script in terminal

• Then open the localhost URL and open the project that you imported earlier.

SonarQube for my new project

How to put our project in SonarQube with Gitlab CI/CD?

• First, I assume you already know your SonarQube host URL and have registered a new project for which you need to know the key and token. We need to store our key and token to Gitlab CI/CD variables. Here is the example:

Gitlab CI CD Variable

• Then, we need to set up our .gitlab-ci.yml to have a sonar stage. This is the example:

Sonar Stage in .gitlab-ci.yml

This script shows more or less the same thing as when we import the project locally. The difference is that we define our target branch which is staging because we will be running this in GitLab.

Customizing a sonar project properties

We can do this by creating a file with name of sonar-project.properties as in the example below:

Sonar Project Properties

We can do this both locally and in Gitlab CI/CD. What do we set in this file? In the example above, we set the host URL, login token, and project key as in the previous .gitlab-ci.yml. Of course, not all files in the project we want to do SonarQube. Therefore, I told SonarQube to do its job in the source and exclude the files that I defined. To complete the use of SonarQube which can tell our coverage, I defined the test location with the format I have defined and the coverage report path that will be generated so that SonarQube can read our coverage after testing.

That is a brief explanation and guide about SonarQube based on my experience. The sources I use will be listed below. Hopefully this article is useful for all of us. Thank you for reading!

Resources

• SonarQube Guide of Proyek Perangkat Lunak 2022
• https://docs.sonarqube.org/latest/setup/get-started-2-minutes/