SonarCloud: A Comprehensive Overview of Static Analysis Features
This article is a part of Individual Review PPL CSUI Even Semester 2023/2024.
Static analysis is a method of debugging that is done by automatically examining the source code without having to execute the program. SonarCloud is a cloud-based code analysis service designed to detect coding issues. With its comprehensive set of features, SonarCloud has become an indispensable tool in the Software Quality Assurance landscape. SonarCloud is designed to help developers achieve a state of Clean Code, that is code with attributes that contribute to making software reliable, maintainable, and secure.
Key Features of SonarCloud
- Pull Request Analysis
SonarCloud integrates with popular version control systems like GitHub, GitLab, and Bitbucket to analyze code changes in pull requests. It automatically performs static analysis on the entire code and provides feedback directly within the pull request, enabling developers to address issues proactively before merging the code into the main branch.
2. Code Quality Analysis
SonarCloud performs an exhaustive analysis of the codebase to identify code smells, bugs, and other issues. It evaluates code against a predefined set of coding rules and guidelines, providing actionable insights and recommendations to help developers enhance the overall quality of the code.
SonarCloud’s Issues feature allows developers to track and manage code quality issues detected during static analysis. It categorizes issues based on severity, type, and impact, providing developers with a prioritized list of issues to address. The Issues feature facilitates collaboration among developers by enabling them to assign, track, and resolve issues efficiently, ensuring continuous improvement in code quality.
3. Security Vulnerabilities Detection
Security Hotspots in SonarCloud highlight areas of the codebase that may be prone to security vulnerabilities, such as input validation, authentication, and data encryption. It focuses on the intent of the code rather than the code’s behavior, helping developers identify and prioritize potential security risks early in the development lifecycle. SonarCloud provides detailed reports on identified vulnerabilities, along with recommendations and remediation guidance to strengthen the application’s security posture.
4. Code Coverage Analysis
SonarCloud integrates seamlessly with code coverage tools to provide insights into the percentage of code covered by automated tests. It highlights areas of the code that lack sufficient test coverage, enabling developers to prioritize testing efforts and improve the overall quality of the test suite.
5. Technical Debt Management
Technical debt refers to the accumulated cost of postponed refactoring or fixing issues in the codebase. SonarCloud quantifies technical debt and provides a visual representation of the debt distribution across the codebase. It helps developers prioritize refactoring efforts and allocate resources efficiently to reduce technical debt over time.
6. Code Duplication Detection
Code duplication can lead to maintenance challenges and reduce code maintainability. SonarCloud identifies duplicate code blocks across the codebase and provides recommendations to refactor or eliminate redundancy. This helps in improving code quality and reducing the overall complexity of the codebase.
Advantages of Using SonarCloud
Here are some benefits from using SonarCloud for our project:
- Support for All Major Programming Languages: SonarCloud supports a wide range of programming languages, making it adaptable to various development environments.
- Automatic Analysis: SonarCloud automates the code analysis process, saving time and effort for developers.
- Native Integration with DevOps Platforms: SonarCloud integrates seamlessly with popular DevOps platforms, facilitating continuous integration and delivery pipelines.
- Shared, Unified Configurations: SonarCloud allows developers to align with a consistent definition of code health and collaborate efficiently in making code clean and meeting code quality expectations.
- Actionable, Highly Precise Results: SonarCloud provides detailed and precise insights, enabling developers to take immediate and informed actions to improve code quality.
Setting up Project to SonarCloud
Here, I will demonstrate how our Senarai project is set up to SonarCloud.
- Open the SonarCloud Web and Log In
Log in to your desired account. It’s preferable to use the account where the repository you want to configure resides. In this case, since the Senarai repository is hosted on GitLab CSUI, I’m logging in using GitHub.
2. Create a New Organization and Project:
-Upon logging in, you will be directed to the SonarCloud dashboard. As this is a team project, I chose to create a new organization first.
Fill in the organization details and choose an appropriate plan.
After creating the organization, you will be directed to the organization dashboard. Add a new project there and provide the necessary project details.
3. Configure the Repository
After the project is created, the project details will be displayed, but the project will still be empty. You need to configure the repository.
In the GitLab repository, add CI/CD variables as follows:
- Key:
SONAR_HOST_URL, value: https://sonarcloud.io - Key:
SONAR_TOKEN, value: Sonar Account Token
Add a new job to .gitlab-ci.yml
sonarcloud_check:
image: sonarsource/sonar-scanner-cli
stage: sonarcloud
variables:
SONAR_TOKEN: ${SONAR_TOKEN}
SONAR_HOST_URL: "https://sonarcloud.io"
script:
- sonar-scanner
-Dsonar.projectKey=senarai_fe
-Dsonar.organization=senarai
-Dsonar.sources=.
-Dsonar.host.url=${SONAR_HOST_URL}
-Dsonar.login=${SONAR_TOKEN}
-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
-Dsonar.exclusions=src/__tests__/**
except:
- tagsNote that the projectKey and organization values should be based on the setup used previously.
Here are the explanations for the code above:
sonarcloud_check is the job name. The next line specifies the Docker image to use for running the job. In this case, it uses sonarsource/sonar-scanner-cli, which is an official Docker image provided by SonarSource for running the SonarScanner CLI. The stage tag specifies that this job belongs to the sonarcloud stage in the CI/CD pipeline. Then, the environment variables used are defined.
Here are the explanation of the script:
sonar-scanner: Executes the SonarScanner CLI tool to perform the analysis.-Dsonar.projectKey=senarai_fe: Specifies the project key for identifying the project in SonarCloud.-Dsonar.organization=senarai: Specifies the organization key in SonarCloud.-Dsonar.sources=.: Indicates the source directory to analyze (the current directory.).-Dsonar.host.url=${SONAR_HOST_URL}: Specifies the SonarCloud URL.-Dsonar.login=${SONAR_TOKEN}: Specifies the SonarCloud authentication token.-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info: Specifies the path to the coverage report in LCOV. format. LCOV (Lines of Code with Coverage) is a format used for representing code coverage data. Thislcov.infofile will contain the coverage data in LCOV format, including details about which lines of code were executed during the tests, along with coverage metrics and summary information.-Dsonar.exclusions=src/__tests__/**: Specifies patterns to exclude from the analysis, in this case, the test files located insrc/__tests__.
The except specifies that this job should not run for Git tags. The except keyword with - tags means the job will only run for branches and merge requests, but not for tags.
The setup is now complete! SonarCloud analysis will run automatically when there is a new push to the repository. You can see an example of the analysis results below.
References: