Static Code Analysis Tool: Sonarqube
Hello everyone,
We will examine sonarqube in our windows computer in this post.
Summaries:
- What is Sonarqube?
- Sonarqube Installation.
- Create a new project in Sonarqube.
- Create a new .NET Project and scan with sonarqube.
- Evulate the sonarqube results.
Sonarqube is
- a static code analysis tool.
- opensource.
- support 20+ language.
Let’s start sonarqube installation. Firstly, we are download sonarqube tool in the this link.
After finished download, we will extract files from zip. The setup files are in the bin folder.
We will open StartSonar.bat file for the install.
After finished install, we will see as follows screen. The application is ready now.
Sonarqube default address is http://localhost:9000 and application start page is as follows. We can login now. We should click log in button for this. Log in button is right side on the header.
Default username and password are admin. After that, we can start create a project in sonarqube. We will click create new project for this.
Now, we need to input project keys and display names. My areas is as follows.
Project is ready, we will create a provide token in this step. I am using default values. The screenshot is as follows.
My token;
Now, we are choosing our main language and download files. Sonarqube will use this files for scan.
I selected main language and downloaded package for my .NET application. After downloaded package, we will add package path in environment variable list. This step is as follows.
Now, sonarqube is ready for scan. Firstly, we will open our project folder in command prompt. We are copying first command from dashboard page and run in command prompt. The screenshot is as follows.
After this step done, we will open Developer command prompt for second command and we will run second command in this window. Result is as follows.
We will turn back Command prompt for last step and we copied third command from dashboard page. Finally we will run this code in command prompt. After scan finished, our sonar page will update. My results are as follows.
We will see 6 titles in this page.
Quality Gate: We are assign some rules for our project. If our project don’t provide for this rules, it’s don’t ready for the production. I used sonarqube default quality gate. You can customize this quality gate or create new quality gate. My quality gate is as follows.
Bugs: It’s code error in my project. If you click 40 in this result page, you can see details of bug. For example my bugs are as follows.
If we click any bug, we can see detail about this.
For example:
- This bug is in wwwroot/lib/bootstrap/dist/css/bootstrap-reboot.css file.
- This bug created 21 hours ago.
- This bug’s effort is 1 minute.
- This bug didn’t assign any user yet. You can click not assigned and assign any people.
Vulnerabilities: This title is about security. This title as important as bugs. My example project didn’t have error of this category but, this detail page as like as bugs detail page.
Code Smells: This title is about maintenance and legibility. We have a 23 code smells and we need 3 hours to solved this.
I opened random issue in this topic.
- This code smell is in Pages/Index.cshtml.cs file.
- This code smell level is Critical.
- This code smell effort is 5 minutes.
- This code smell created in 21 hours ago.
Coverage: This category is about tests. We didn’t write test for our test project. If we write test, we can see rate in the project.
Duplications: This category is about ratio reused rows to total rows. Result for my example project is as follows.
See you next posts.
Good luck :)
