Expedite Test Automation Code Review Process (Integration with SonarQube)

Read Time : 10 minutes

Hello Guys,

While writing Test Automation Code, I sometimes wondered about below questions:

1. While writing code : Whether I am following standard guidelines? How to make sure? Is there any way to check it immediately while I am writing it?
2. As Code Reviewer : Whether Code is as per latest standard guidelines? How to expedite the Code review process?
3. As QA Automation Lead : How to enforce Code quality standards and automate Code Review process so that productivity can be increased?

My search ends on a tool 'SonarQube'. I integrated this tool with my Team Automation Projects and started using it as part of Code Review Process. This has benefited many projects across my organization, decreased Code review time and enforced code standards. It reduce your Technical debt to great extent.

So, let's learn more about this tool and how we can integrate to various stages of Test automation process and get max benefits.

One bad programmer can easily create two new jobs a year.

— David Parnas

What is SonarQube?

SonarQube is an automatic code review tool to detect bugs, vulnerabilities and code smells in your code. It is a web-based open source platform used to measure and analyse the source code quality. This supports all famous languages like Java, Python, SQL, Javascript, .NET etc

Sonar covers the 7 sections of code quality

1. Architecture and Design
2. Unit tests
3. Duplicated code
4. Potential bugs
5. Complex code
6. Coding standards
7. Comments

For More details you can refer to below pages: https://docs.sonarqube.org/latest/

At what stages it help in Test Automation process flow?

Hey, you will be glad to know, it will be helpful at all the points and will act as your four-eye through whole Test Automation process flow.

• While you are designing code : You can download plugin named "SonarLint" on famous IDEs like Intellij, Eclispse etc. This plugin provide you feed back, reports bugs, code smells, vulnerabilities etc with there severity on run. It will also provide suggestion and ways as per latest standards to resolve it.

• While you run automation Test Cases : You can scan your whole Test suite with your Test run through CLI and can receive detailed analysis on SonarQube Dashboard using simple Maven commands like "mvn sonar:sonar". It will list all the issues and will even point in which files it is appearing with multiple other features like Code Snippet, culprit info, severity, efforts require to fix the issue, suggestions to fix the issue etc.

• While you are reviewing the Code : With Administrator role you can set multiple Code Quality gates on global level and even at project level in case your organisation is having multiple other projects. You can choose to analyse from many parameters like Bugs, Code Smells, Code Coverage, Duplication percentage etc on New Code as well as whole project. You need to set threshold values for each parameters you are choosing and here you go. Whenever the threshold is not met for any criteria your 'Code Quality' gate will get failed with reasons and in a very similar way you can verify whether the code you are requested to review is following all standards or not and saved tons of time.

• While you are building through CI/CD pipeline : You can add the SonarQube scanner as a stage in you Declarative Jenkinsfile as part of CI/CD pipeline as code. This pipeline will get trigger whenever you : Push the Code in your feature branch, Merge code with master branch or even you can configure to run every night using TimerTrigger. You can fail the build in case the Code Quality gate fails and a non standard code will never come to you for review.(Seems like a dedicated QA pipeline correct? Many DevOps engineer and Developer seems reluctant of utilizing a separate dedicated QA pipeline. Lets discuss on this in next article)

Hmm, enough on theory correct?... Lets jump to how we can implement it technically. :) In case you like to read more, refer to one good article : Benefits of Using SonarQube For Code Reviews

How to implement above points technically?

Discussion on technical implementation. Okay, lets go by above points:

SonarLint plugin for your favorite IDE and how to use:

Like any other plugin, this can be downloaded from Plugins in Intellij and from Eclipse MarketPlace in Eclipse.

-- In Intellij, just go to File --> Settings --> Plugins and search for 'SonarLint' and install it

-- After installation you will see 'SonarLint' at the bottom taskbar as shown in image.

-- Select any class in your already open project. Then click on 'SonarLint' and you will find issues related to that file already analyzed and reported. In case you made some changes and want to reanalyze, you can perform by clicking the 'Run' button.

-- You can click on any issue and you will get detailed description of the issue with sample resolution.

So check and clear the issues at Runtime while writing Code :)

Configure SonarQube on your system or server :

I am leaving installation instruction on official documentation as it's pretty straight forward. You can use Docker or can install on your system.

Link to the installation guide : https://docs.sonarqube.org/latest/setup/get-started-2-minutes/

-- After you have installed it successfully. Navigate to https://localhost:9000 and insert username and password as 'admin' and 'admin'. You should be able to login and see 'Create New Project' link

-- You have successfully installed SonarQube on your system

Run SonarQube scanner from CLI as a MavenCommand :

You can run SonarQube scanner from Terminal and it will analyse and report all issues on SonarQube Dashboard. Let's see how to configure it Step by Step:

Steps to Configure Analysis :

1. Generate Security Token

-- Navigate to https://localhost:9000 (or the URL you configured)

-- Click on 'User Profile Icon' on top right --> My Account --> Security

-- Enter Token Name (Say: TOKEN) and click on 'Generate' button

-- Copy generated token and store it somewhere as it will get generated only one time.

2. Add plugin in Maven project

-- Copy below Plugin in your pom.xml for your existing project which you want to scan. You can get latest version from SonarQube version info

<build>
    <pluginManagement>
        <plugins>
            <plugin>
                <groupId>org.sonarsource.scanner.maven</groupId>
                <artifactId>sonar-maven-plugin</artifactId>
                <version>3.7.0.1746</version>
            </plugin>
        </plugins>
    </pluginManagement>
</build>

-- Run below maven command in your Terminal

mvn sonar:sonar \
  -Dsonar.host.url=https://localhost:9000 \
  -Dsonar.login=the-generated-token

We need to replace the-generated-token with the token from above which you have stored.

After executing the command, the results will be available on the Projects dashboard – at https://localhost:9000. Similar to this

-- You can click on the project for detailed list of issues and resolution instructions.

Discovered issues can either be a Bug, Vulnerability, Code Smell, Coverage or Duplication. Each category has a corresponding number of issues or a percentage value. Moreover, issues can have one of five different severity levels: blocker, critical, major, minor and info. Just in front of the project name is an icon that displays the Quality Gate status – passed (green) or failed (red).

Clicking on the project name will take us to a dedicated dashboard where we can explore issues particular to the project in greater detail.

We can see the project code, activity and perform administration tasks from the project dashboard – each available on a separate tab.

Though there is a global Issues tab, the Issues tab on the project dashboard display issues specific to the project concerned alone:

The issues tab always display the category, severity level, tag(s), and the calculated effort (regarding time) it will take to rectify an issue.

From the issues tab, it's possible to assign an issue to another user, comment on it, and change its severity level. Clicking on the issue itself will show more detail about the issue.

The issue tab comes with sophisticated filters to the left. These are good for pinpointing issues. So how can one know if the codebase is healthy enough for deployment into production? That's what Quality Gate is for.

What is Quality Gate and how to configure it?

Quality Gate are set of rules like bugs, code smells, vulnerabilities etc threshold and on meeting that threshold only, your Code Quality scan will get passed. Based on Quality Gate status you can take decision to pass the Code Review or may be pass to next higher environment.

You can also set Quality Code for new code which is getting merge, to ensure no new non standard code pass through and through passage of time you can fix old code too.

Now how to set Quality gate?

-- Lets navigate to https://localhost:9000 (or the URL you configured).

-- Click tab 'Quality Gates' at top menu bar. You will find one Quality Gate named 'Sonar way' already defined. These are set of rules suggested by Sonar.

-- Click on 'Create' button to configure your own quality gate. Name your Quality Gate.

-- You will find Conditions to create on New Code and to create on Overall Code and define threshold too.

Now how add custom Quality gate to your project?

-- Navigate to 'Projects' and select the project on which you want to link custom Quality Gate

-- Click on Project Settings--> Quality Gate. You will find option to select a Quality gate and you are done.

-- Run the scan again using maven command and now it will scanned as per the Quality Gate defined.

Ananlyse your project on cloud Repo (Git, Bitbucket etc) using SonarCloud:

You know you can analyse any of your project on cloud without any setup. That seems interesting... lets see how to do it.

-- Navigate to https://sonarcloud.io/

-- You will find section "Go ahead! Analyze your repo:". Choose your repo. For eg. I am choosing 'GitLab'

-- On clicking you will asked to allow access to your repo and steps are self explanatory. In case it ask for 'Access Token' or 'Credentials'. Please free to generate it from your repo or provide it. For Gitab it asks for Access token for api which can be generated from User Settings.

-- You will asked to choose a plan. Go for the free one for now which will scan your public repos only and not private one. So make sure your repo is public.

-- It will give to multiple option how to analyse your project like through CI/CD Pipeline, Manually or any other tools. Choose Manually for now.

-- It will ask with which way you will like to proceed. Choose one and follow the simple steps to add properties in pom.xml.

-- And you are done. Go and analyze without much setup. Run simple command as mentioned

mvn verify sonar:sonar

-- You see now url changed to Sonarcloud.io instead of localhost and now you can share this analysis with other team members and developers of the project. There feature branch analysis can also be tracked on same Sonar Dashboard.

So that were few ways how you can configure SonarQube. It helps to catch a lot of problems in code and thanks to its philosophy to focus on the new code it helps to fix issues as soon as they appear.

Keeping code clean, simple and easy to read is also a lot easier with SonarQube since a lot of rules also focus on those aspects which starts to pay off a lot after some time.

Conclusion

There are some other ways in which this can can be helpful. Yes there are, like we can get it integrated through Jenkins by using plugins or add it as a stage in Declarative or Scripted pipeline as a stage and stop deployment in next environment.

But lets discuss about them specifically in next article which I will publish soon. :)

Stay Happy, Stay Safe, Keep Learning ....

Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.

— John F. Woods