.NET Core Code Quality with Coverlet and SonarQube

By Sandeep Anantha

Organizations that embrace continuous integration and continuous delivery (CI/CD) reap enormous benefits when rolling out their products — if you’re new to the subject, you can read more about CI/CD here. The reason that CI/CD works is that code is built, tests are run and code is deployed as soon as the code is checked in. As CI/CD catches problems as soon as the source code is checked in, this puts the onus on developers to write code that is efficient and bug-free, thus making them accountable for their code. The idea that code is deployed continuously even before it is QA’ed, seems like a significant risk to some. But if we fortify the code with tests to ensure every piece of code is covered by these tests, then we can be reasonably confident that the code the developer checks in does not break the larger code. Of course for this strategy to work, test driven development (TDD) has to be practiced and automated tests have to be written religiously for every piece of code.

However, the effectiveness of CI/CD will largely depend on how well tests are written, how extensive they are, and how subjective they are. As the ultimate value of CI/CD will depend on code quality, and having continuously good code quality. If you have tests that don’t cover critical pieces of code, then you may end up with many false positives leading to compromised code quality. To avoid this, code reviews should be conducted, but be aware that reviews are also subjective and bugs can slip through the cracks. When conducting a code review, a big part of what you’re doing is identifying smells.

Code smells are common knowledge these days and there are many resources available to identify code smells. Though, it can be daunting to manually find code smells in every code review. Imagine a tool that can help you define custom rules, in addition to the common code smell patterns, externalize these rules and have the flexibility to apply them to the code at the project level, department level, or at the enterprise level…Meet: SonarQube.

SonarQube is a service that can scan code in 25+ languages and identify smells, vulnerabilities, and bugs. SonarQube is a big step toward automating development operations (DevOps) as it enables continuous code inspection that will improve code quality and ensures clean code.

Since SonarQube is open source, it can easily be integrated right into your CI/CD process, which will enable continuous inspection of code for bugs, vulnerabilities, and smells, and can be extended. SonarQube can also be extended by using plugins. For example, you can use the CodeAnalyzer plugin to measure cyclomatic complexity.

With so many CI/CD tools available, like Jenkins, Cruise Control, etc., this blog will focus on externalizing SonarQube integration into a shell script. Since shell script is generic and cross-platform, it can be called from any CI/CD tool of your choice.

Given the core capabilities of SonarQube, it can be used to smooth out the rollout process to production. Imagine the hurdles that a development team faces before going to production at the eleventh hour. They have to go through a long checklist of processes; one among them is the mandatory approval by the enterprise security team, which is often responsible to go through the code, analyze it, and block deployment if they see any issues or vulnerabilities. Development teams have to go through each of the concerns, address them, refactor the code, and submit it for deployment again. This can happen multiple times depending on the quality of the code and can lead to crucial time lost, increasing time to market, and can lead to burnout and stress on the team. Imagine if we could detect and fix all these potential bugs and vulnerabilities early on, right when the code is checked in. This would take little effort to fix them early while still in dev., leaving the teams happy and assured. SonarQube will help you in this endeavor.

SonarQube feeds on the coverage reports and analyzes .NET assemblies and generates reports of its own that include vulnerabilities, bugs, and code smells. It also reports the asymptotic complexity of the code. Apart from these obvious benefits, SonarQube can automate gating of deployments on the server. Should the coverage fail beyond a threshold, or if a bug has been detected, SonarQube can report them to the team and block the deployment.

In the next part of this blog series, we will go over how to scan the C# code on .NET Core platform via SonarQube and in the third, how to enable quality gates. Stay tuned!

Sandeep Anantha is an Agile software engineer at TribalScale.

TribalScale is a global innovation firm that helps enterprises adapt and thrive in the digital era. We transform teams and processes, build best-in-class digital products, and create disruptive startups. Learn more about us on our website. Connect with us on Twitter, LinkedIn & Facebook!