Code quality - Tools

If you want to ensure good code quality, there is no getting round the use of tools. It is possible to rely on individual tools or use a combination of tools.

The simplest and most cost-effective option are IDE extensions that help you to recognise and rectify quality problems while you are writing the code. These allow on-the-fly code inspections. Some of these tools are completely free, but depending on the programming language required, costs may be incurred. We will go into this in detail in a later section.

There are also platforms for continuous code inspection as on-premise and cloud solutions, as well as DevOps integrations (JIRA, GitHub, Maven, Gradle), which help to constantly monitor code quality. Quality gates are an important tool here. Quality gates can be used to define which criteria characterise good code quality and when code is of poor quality. This includes, for example, the number of bugs of the different criticality levels.

SonarLint

SonarLint is a plugin for various IDEs such as IntelliJ, Visual Studio Code and Eclipse. This plugin can be used independently of other systems, but not all languages are supported. If you want to check additional languages, you should use SonarLint in Connect Mode. To do this, SonarLint is connected to an existing SonarQube or SonarCloud instance. This automatically makes the languages licensed there available in the IDE and reports from these systems can also be received in the IDE.

SonarQube/SonarCloud

SonarQube and SonarCloud can be integrated into the automatic build process so that deployment only takes place when a certain quality gate has been reached. The view of the code checks is similar to that in SonarLint. The big difference here, however, is that it is possible to check whether code has been duplicated across the entire code base, for example. As a stand-alone solution, SonarLint only ever checks individual files.

SonarQube/SonarCloud:

• are open source platforms for over 25 programming languages
• are the only products on the market that support a leak approach as a practice for code quality
• have a large plugin library with over 100 plugins available
• are used by more than 85,000 organisations worldwide
• have integrations with Jenkins, Git, Subversion, Bamboo, Maven, Gradle,...

Acunetix/Invicti

Another tool comes from the company Invicti. This is a web security scanner that checks web applications, web services and Apis.

Some of the functions and checks of Acunetix DeepScan are:

• WebKit, the world's most widely used browser engine
• Crawling and scanning HTML5 web applications
• Execute JavaScript like a real browser
• Complex client-side web applications (AngularJS, ReactJS, EmberJS...)
• DOM-based cross-site scripting
• Malicious URLs
• Popular CMS (WordPress, Drupal, Joomla!)
• CRUD requests, JSON, XML, GWT, AJAX,
• WSDL/SOAP, WCF/SOAP and WADL/REST

Checkmarx

There is one more tool we don't want to keep quiet about, and that is Checkmarx. Checkmarx is an application security testing (AST) tool.

The functionalities of Checkmarx include

• Uncompiled code
• Full, partial or incremental scans
• Integrated in development environment and SDLC (Software Development Lifecycle)
• Best-to-fix recommendations
• Graphical support
• Reporting
• Open source analysis (internal user-defined code and open source code)
• Open source inventory (mapping of all open source libraries and versions used)

Summary

All of the tools mentioned have their advantages and disadvantages and in some cases a combination of tools can make perfect sense. The list is of course not exhaustive and is only intended as an example to illustrate that code quality tools can be very different and that there is a wide variety on the market.

If you do not have the resources available to set up an appropriate process, VOQUZ will be happy to provide advice and assistance. We also offer a service if checks or iterations of checks are to be carried out on your own code. The advantages here are

• Customised service (comprehensive price/performance)
• Fast realisation
• Utilisation of VOQUZ know-how
• No need to buy licences
• Always the latest versions of the tools used
• No cloud issues as you can choose the execution location (EMEA, US,...)
• Access to experts
• Various types of tests and advanced analyses

We are happy to provide advice and support.