Static Code analysis using SonarQube
In this blog we will learn how to do the static code analysis of a maven project using SonarQube
What is SonarQube?
SonarQube is a tool used to measure code quality. It is used for continuous inspection by using static code analysis which includes various parameters like code smell and security vulnerabilities.
- An IDE like eclipse
- JDK 8 or 11.
- Apache Maven
Step 1. Installing SonarQube SonarQube can be installed from https://www.sonarqube.org/, click on community edition which is free.
select the path where you want to install SonarQube Note[if you don't have JDK 8 download it from https://www.oracle.com/in/java/technologies/javase/javase-jdk8-downloads.html SonarQube on JDK version between 8 to 11].
Step 2. Launching SonarQube Go to the folder containing SonarQube.
Go to the bin folder.
Go to win-x86-64 folder Open cmd go the path mentioned above and type the following command.
Now the SonarQube server is up and running.
Step3. Go to the web browser and log on to http://localhost:9000/about to run SonarQube. Note:9000 is the default port number of SonarQube server.
SonarQube dashboard will be visible.
Step 4. Create a maven project in eclipse IDE or any other IDE you prefer
Add a class in the following project.
Step 5. Run the following command in cmd at the location of the maven project.
mvn clean install sonar:sonar -Dsonar .host.url=http://localhost:9000 -Dsonar.analysis.mode=publish
Here we are running a maven goal that is clean install. mvn clean command removes the target folder which contains all the executable binaries it could be either .war file or .jar. when we run mvn install command it compiles, creates and packages the java project and create a .jar or .war file for it which can be imported into any other java project.
so the above command is running the maven goal and pushing the project to SonarQube where the static code analysis can be performed.
Step6. Refresh the page of SonarQube dashboard
We can see that our source code has passed all the conditions our code contains 0 bugs, vulnerability, and 0% duplication and it contains 2 code smell. Bugs, vulnerability, duplication, and code smell are all quality gates i.e conditions that the source code needs to pass. Quality gates mentioned here are
1. Bugs -A bug in the code is simply the error or fault that is present in the code.
2. Vulnerability- In a code vulnerability indicates that there is a compromisation in the security of the program.
3. Hotspot review- Hotspot is a security concerned area in the code that the developer needs to review again.
4. Duplication- As the name suggests duplication is simply the part of code that appears more than once in the code.
5. Code coverage - It measures the quality of code that has been tested.
6. Code smell- As the name suggests it has nothing to do with the verb smell, it is similar to bug but it doesn't cause any problem in the compilation of code, it usually has to deal with the structure of the code rather than syntax, we can say it is a bug but it does not cause any problem at the compilation time so we can ignore those bugs.
The final report
Congratulations, you have finally done the static code analysis by using SonarQube.