Shrikant Lal's Blog

Shrikant Lal's Blog

Static Code analysis using SonarQube


In this blog we will learn how to do the static code analysis of a maven project using SonarQube

What is SonarQube?

SonarQube is a tool used to measure code quality. It is used for continuous inspection by using static code analysis which includes various parameters like code smell and security vulnerabilities.


  1. An IDE like eclipse
  2. JDK 8 or 11.
  3. SonarQube
  4. Apache Maven

Step 1. Installing SonarQube SonarQube can be installed from, click on community edition which is free.


select the path where you want to install SonarQube Note[if you don't have JDK 8 download it from SonarQube on JDK version between 8 to 11].

Step 2. Launching SonarQube Go to the folder containing SonarQube.

2.PNG Go to the bin folder.

3.PNG Go to win-x86-64 folder Open cmd go the path mentioned above and type the following command.


Now the SonarQube server is up and running.

Step3. Go to the web browser and log on to http://localhost:9000/about to run SonarQube. Note:9000 is the default port number of SonarQube server.

local host 9000.PNG SonarQube dashboard will be visible.

Step 4. Create a maven project in eclipse IDE or any other IDE you prefer

maven project.PNG Add a class in the following project.

source code.PNG Step 5. Run the following command in cmd at the location of the maven project.

mvn clean install sonar:sonar -Dsonar .host.url=http://localhost:9000 -Dsonar.analysis.mode=publish

Here we are running a maven goal that is clean install. mvn clean command removes the target folder which contains all the executable binaries it could be either .war file or .jar. when we run mvn install command it compiles, creates and packages the java project and create a .jar or .war file for it which can be imported into any other java project.

so the above command is running the maven goal and pushing the project to SonarQube where the static code analysis can be performed.

mvn command.PNG

Step6. Refresh the page of SonarQube dashboard

sonar test pass.PNG We can see that our source code has passed all the conditions our code contains 0 bugs, vulnerability, and 0% duplication and it contains 2 code smell. Bugs, vulnerability, duplication, and code smell are all quality gates i.e conditions that the source code needs to pass. Quality gates mentioned here are

1. Bugs -A bug in the code is simply the error or fault that is present in the code.

2. Vulnerability- In a code vulnerability indicates that there is a compromisation in the security of the program.

3. Hotspot review- Hotspot is a security concerned area in the code that the developer needs to review again.

4. Duplication- As the name suggests duplication is simply the part of code that appears more than once in the code.

5. Code coverage - It measures the quality of code that has been tested.

code smell ramsey.jpg 6. Code smell- As the name suggests it has nothing to do with the verb smell, it is similar to bug but it doesn't cause any problem in the compilation of code, it usually has to deal with the structure of the code rather than syntax, we can say it is a bug but it does not cause any problem at the compilation time so we can ignore those bugs.

The final report

final report.PNG Congratulations, you have finally done the static code analysis by using SonarQube.

Share this