SonarQube | SonarScanner : a step by step guide. #StaticAnalysis.
Introduction
SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
It can report duplicated code, coding standards, unit tests, code coverage, code complexity and comments.
The only prerequisite for running SonarQube is to have Java (Oracle JRE 11 or OpenJDK 11) installed on your machine. Read More
Installation steps:
Step 1:
Download the SonarQube Community Edition.
Step 2:
As a non-root user, unzip it, let’s say in C:\sonarqube or /opt/sonarqube.
Step 3:
# On Windows, execute:
C:\sonarqube\bin\windows-x86-xx\StartSonar.bat
# On other operating systems, as a non-root user execute:
/opt/sonarqube/bin/[OS]/sonar.sh console
Step 4.
Open browser and http://localhost:9000/ (9000 is default) you will be navigated to below window, with System Administrator credentials (login=admin, password=admin).
Note:
For any configuration changes go to conf folder and sonar.properties file.
Here you can configure database, LDAP, webserver, SSO authentication, logging, etc…, e.g. for port — under web-server section I have added sonar.web.port=9001
Using Docker — (Optional)
Images of the Community, Developer, and Enterprise Editions are available on Docker Hub.
- Start the server by running:
$ docker run -d --name sonarqube -p 9000:9000 <image_name>Step 5:
After login to the application, click the Create new project button to analyze your first project.
- Click on “+” icon on right-top corner on navigation bar
- Select ‘Create new project’ option
Step 6:
Step 7:
- Enter a token key (Enter your favorite word pairs)— here secret_key
- After clicking the generate button, the application will provide a token. Which later is use for verification purpose before starting scan of specified project.
Now click on continue button.
Step 8:
Select type of your project, mine is Angular in(JavaScript language)
The moment you click the button on step 3, it’ll redirect you to download page for sonar scanner. Select the dist based on OS you’re using.
After completion of download of sonar scanner, extract the file. (I’ve extracted in the download folder)
Step 9:
Window — Register the sonar-scanner path in environment variable.
Mac — Setting up Environment Variables in MacOS Sierra
Step 10:
Save the following properties in your project-folder —
with file name sonar-project.properties (!important).
sonar.projectKey=TLH_PROJECT_SQ_V1
sonar.projectName=TLH_PROJECT_SQ_V1
sonar.login = ba4fd*******************
sonar.scm.provider = svn
sonar.projectVersion=1.0
sonar.sources=src
sonar.exclusions=node_modules/**,src/environments/**,**/*.spec.ts,dist/**,**/docs/**,**/*.js,e2e/**,coverage/**,TLH-distributions/**,src/bsb-theme/css/**
sonar.ts.tslint.configPath=tslint.json
sonar.typescript.lcov.reportPaths=coverage/lcov.infoFeel free to change the above properties based on your project config.
Add the sonar-project.properties at root level of project.
Now open your project path in Terminal or CMD. Run the following command
sonar-scanner.bat
Sit back and relax, the scan will take a while. Go grab a coffee in a while. ☕
After the completion of scan go to the SonarQube dashboard (localhost:9000). Login if required. Select the project you’ll able to view something as below.
Yay! 🙌 If you’ve followed this along, then congratulations you have made it! and now you may share the report (after correcting/fixing all the issues) to your Project manager and other stakeholders.
Go to issues tab, select type of issues you want to fix and SonarQube will show the defined rule/guideline w.r.t to the issue.
If you want to integrate your SonarQube with Jenkins for Continuous Inspection and Continuous Integration you can read this blog — Jenkins-SonarQube Integration
