Code Quality Analysis with Sonar
SonarQube?is an open-source platform for continuous code quality inspection. This tool provides a detailed analysis of bugs, code smells, vulnerabilities, and duplications in source code.
Static code analysis rules provided by Sonar can help you identify bugs, bad practices, and vulnerabilities. This may encourage you and your team to follow the same code standards.
As a part of this article, we will look at how to address quality issues in Java code using Sonar.
Setting Up SonarQube
To setup the server, we will use?SonarQube Community Edition?in Docker.
We need to run the LTS (long-term support) version of the official?SonarQube Docker image.
Execute the following Docker command to start a server on your machine:
docker container run -d -p 9000:9000 --name sonar sonarqube:lts
Sonar server runs on port?9000. Open the Sonar UI at?localhost:9000?and wait for it to start.
You will be asked to log in once the server starts. The default?username/password?is?admin/admin.
Next, you may need to change your password.
Now that you’re logged in, click “My Account ”.
In the “Security” tab, you can create an access token. We will use the token later to analyze a project example.
To create a token, specify the?name,?type, and?expiration. Fill in the fields and click on the “Generate” button.
Copy the generated token, and save it for later.
Setting Up the Project
Next, we will use a project that intentionally includes poor quality practices as per?Sonar rules for Java. This project is available in my?GitHub.
In the code snippet below, the?pom.xml?file includes the?Sonar Maven Plugin?to trigger?SonarQube?analysis.
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>${sonar-maven-plugin.version}</version>
</plugin>
Add the plugin and run this:
$ mvn sonar:sonar -Dsonar.host.url=https://localhost:9000
-Dsonar.login=<generated-token>\
Here, you need to replace?<generated-token>?with the token created earlier.
After running the command, you should see your project in the?Projects?dashboard.
Sonar Concepts
Based on the example project results, let’s grasp some important concepts to know using Sonnar.
Bugs
Sonar defines?bugs?as…
An issue that represents something wrong in the code. If this has not broken yet, it will, and will probably break at the worst possible moment. This needs to be fixed as soon as possible.
Example:?My code has a connection that is not closed after use. As a result, we are in violation of?RSPEC-2095.
领英推荐
Vulnerabilities
Sonar defines?vulnerabilities?as…
A security-related issue that represents a backdoor for attackers.
Example:?A hard-coded password was found in my code. This violates?RSPEC-6437.
Hotspots
Sonar defines?Security Hotspots?as…
Security-sensitive pieces of code that need to be manually reviewed. Upon review, you’ll either find that there is no threat or that there is vulnerable code that needs to be fixed.
Example:?I have debug features activated in my code, which is a security-sensitive issue because simplify the work of attackers. In?RSPEC-4507, this risk is described.
Code Smells
Sonar defines?Code Smells?as…
A maintainability-related issue in the code. Leaving it as-is means that at best, developers maintaining the code will have a harder time than they should when making changes. At worst, they’ll be so confused by the state of the code that they’ll introduce additional errors as they make changes.
Example:?I have defined a generic exception such as?RuntimeException. This is an issue because it prevents identifying true, system-generated exceptions from application-generated errors. In?RSPEC-112, this issue is described.
Read more about Sonar concepts at?https://docs.sonarqube.org/latest/user-guide/concepts/
Clean As You Code With SonarLint
Clean as You Code?is an approach to code that aims to eliminate quality issues as early as possible. This allows developers to focus on maintaining high standards and taking responsibility for any quality issues that may arise in their code.
Configuring SonarLint in IntelliJ
Using?IntelliJ?you can install the SonarLint plugin as shown below.
Once the plugin is installed, go to the “SonarLint” tab and click on the configuration icon.
Choose “Bind project to SonarQube/SonarCloud” and then click “Configure the connection…”.
Create a new connection by clicking the “+” button.
Enter the?Connection Name, pick?SonarQube, set the?URL, and click “Next”.
Set the “Token” and click “Next”. I recommend using a?user token.
Select “Next”.
Finally, click on “Create ”.
Now that the connection has been created, you will be able to bind your project to SonarQube.
You will be notified when SonarLint detects a violation of a rule. This will help you clean up your code as you go!
Thanks for reading. I hope this was helpful!