Setting Up SonarQube for Code Quality Inspection on Java(Maven/Gradle)/.NET/Python/Go Projects

SonarQube is a powerful tool for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities. This guide walks you through setting up SonarQube and integrating it with a Java project using Maven. The instructions are tailored for both Windows and macOS users.

Prerequisites

1. Clone the Vulnerable Code Repository: Clone the repository containing the vulnerable code to your local system.

git clone <your_repo_name>        

cd <your_repo_name>        

2.Install Java 11: Ensure Java 11 is installed. You can download it from the Java SE 11 Archive Downloads.

Verify the installation:

java -version        

3.Install Maven: Download and install Maven from the official website.

Verify the installation:

mvn -version        

4.Install Docker Desktop: Download and install Docker Desktop for your operating system.

• For Windows: Install Docker Desktop on Windows
• For Mac: Install Docker Desktop on Mac

5.Enable WSL 2 and Virtual Machine Platform (Windows Only): For Windows users, ensure WSL 2 and Virtual Machine Platform features are enabled.

wsl --set-default-version 2        

Setting Up SonarQube

1.Download and Run the SonarQube Docker Image: Open a terminal or command prompt and run the following command to download and start the SonarQube Docker container.

docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube        

Verify the container is running:

docker ps -a        

2.Access SonarQube: Open a web browser and navigate to https://localhost:9000. You should see the SonarQube dashboard.

3.Configure SonarQube Project:

• Log in to SonarQube (default credentials: admin/admin).
• Create a new project.
• Generate a token for the project.

Scanning the Java Project

1. Navigate to the Project Directory: Make sure you are in the root directory of the cloned project.
2. Run SonarQube Scan with Maven: Execute the following Maven command to clean, verify, and scan the project using SonarQube.

mvn clean verify sonar:sonar \
  -Dsonar.projectKey=FirstScanTest \
  -Dsonar.projectName='FirstScanTest' \
  -Dsonar.host.url=https://localhost:9000 \
  -Dsonar.token=<your_sonar_token>        

Replace <your_sonar_token> with the token generated from the SonarQube dashboard.

3. View the Scan Results: After the scan completes, go to the SonarQube dashboard (https://localhost:9000) and view the results of the scan. You will see detailed reports on code quality, bugs, vulnerabilities, and code smells.

Results:

Conclusion

By following the steps outlined in this guide, you have successfully set up SonarQube and integrated it with a Java project to perform static code analysis. Regularly scanning your codebase with SonarQube helps maintain high code quality and security, ensuring vulnerabilities and code smells are identified and addressed promptly.

Feel free to customize the steps according to your specific project requirements and environment configurations. Happy coding!

References:

1. Official SonarQube Documentation:SonarQube DocumentationSonarQube for Java
2. SonarQube and Maven Integration:SonarQube Maven PluginMaven Tutorial: SonarQube Integration
3. Java and SonarQube Tutorials:Baeldung: SonarQube Tutorial for Java DevelopersDZone: SonarQube for Java Developers
4. Docker and SonarQube:SonarQube Docker ImageDockerizing SonarQube
5. WSL 2 and Virtual Machine Platform (Windows Only):Microsoft: Enable WSL 2Microsoft: Virtual Machine Platform

By,

Anshumaan Singh

ZEE Entertainment Enterprises Limited