SonarQube Code Quality

Author : Paddy Murphy
Date : 2017-05-03

What is it?

SonarQube is an open source tool which gives a snapshot of code quality. It uses the following quality metrics:

• Potential Bugs - This uses coding rules to detect potential bugs, bugs can be ranked as Blocker, Critical, Major, Minor, or Info
• Tests - This measures unit-test coverage
• Duplications - Detect copy-paste code and give a percentage value
• Comments - Measures the percentage of comments. Only API comments are measured; inline comments are ignored.
• Architecture & Design - only supported for Java analysis, LCOM4 determines how the code stacks up from an object oriented design perspective, the tidiness of the programs architecture is also measured i.e. do classes in package A include classes in package B
• Complexity - Measures how complex the logic of the code is; this is calculated by adding the complexity value for each file analysed.

It consists of two components a SonarQube server which displays the the results and a SonarQube scanner which carries out the code analysis.

Where is it installed?

The SonarQube server is currently installed on the erato server. View dashboard at: http://10.91.100.111:9000/sonar/dashboard/

Log in with the usual credentials, the home page displays a list of projects that have been analysed.

SonarQube requires Java 8 and MySQL – 5.6 or greater

• wget https://sonarsource.bintray.com/Distribution/sonarqube/sonarqube-5.6.4.zip –no-check-certificate
• sudo unzip sonarqube-5.6.4.zip
• sudo nano sonarqube-5.6.4/conf/sonar.properties
• uncomment the following lines

#sonar.web.host=0.0.0.0
#sonar.web.context=
#sonar.web.port=9000

Add the following values:
sonar.web.host=<server ip address>
sonar.web.context=/sonar
sonar.web.port=9000

Start Application

• cd /opt/sonar/sonarqube-5.6.4/bin/linux-x86-64
• sudo ./sonar.sh start
• point browser at:
• http://server_ip_address:9000/sonar/dashboard/

Add sonar database
By default SonarQube uses the H2 database engine. This is not suitable for a production instance.
Ensure that a MySQl version 5.6 or greater is installed.

• login to mysql server
• create database sonar;
• sudo nano sonarqube-5.6.4/conf/sonar.properties
• uncomment the JDBC MySQL Driver line & the following lines:

#sonar.jdbc.username=
#ssonar.jdbc.password=

Change values:
#sonar.jdbc.username=root
#ssonar.jdbc.password=ozzrules

If everything is configured correctly the dashboard page should display when SonarQube is restarted.

Logs can be viewed at: /opt/sonar/sonarqube-5.6.4/logs/sonar.log

Stop application

• cd /opt/sonar/sonarqube-5.6.4/bin/linux-x86-64
• sudo ./sonar.sh stop

Restart Application

• cd /opt/sonar/sonarqube-5.6.4/bin/linux-x86-64
• sudo ./sonar.sh start

Sonarqube won't start with ElasticSearch exceptions in the log

• you will see something like '2018.08.27 03:45:37 INFO app[o.s.p.m.Monitor] Process[es] is stopped' in the logs
• most likely the elasticsearch data is corrupted
• you will need to stop the sonarqube and delete the elasticsearch folder:
• sudo rm -rf /opt/sonar/sonarqube-5.6.4/data/es/sonarqube/
• start sonarqube again
• sonarqube will rebuild the elasticsearch data startup (which can take few minutes)
• check the ui if it works

Install the Jenkins SonarQube plugin

Add SonarQube Server

See Setting up SonarQube in Jenkins 2

Add SonarQube scanner

• Go to Jenkins, Manage Jenkins, Global Tool Configuration
• In the JDK section install a Java 8 version if not already installed
• In SonarQube Scanner section select Add SonarQube Scanner
• Give the scanner a suitable name
• From dropdown select Sonarqube Scanner 2.8
• At bottom of page select Apply and Save

Add SonarQube Scanner build step to Grails 2 Project

As this build step can take some time on larger projects this build step should be last.

• Choose add build step and select Execute SonarQube Scanner.
• For JDK Select a Java 8 version
• In Analysis properties use template below and edit to suit your needs.

# must be unique in a given SonarQube instance
sonar.projectKey=com.errigal.reporting-manager
# this is the name and version displayed in the SonarQube UI. Was mandatory prior to SonarQube 6.1.
sonar.projectName=reporting-manager
sonar.projectVersion=1.0
 
# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
# Since SonarQube 4.2, this property is optional if sonar.modules is set. 
# If not set, SonarQube starts looking for source code from the directory containing 
# the sonar-project.properties file.
sonar.sources=.
 
# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8

# Exclude files from SonarQube analysis
sonar.exclusions=src/templates/artifacts/**, web-app/js/prototype/**
# Language
#sonar.language=grvy

SonarQube Scanner Build Example

• If no language is specified an analysis is done on all Java, Groovy, & JavaScript code.
• Use the following syntax to specify an analysis for a single language only.

# Groovy 
sonar.language=grvy

# Java 
sonar.language=java

# JavaScript
sonar.language=js

Grails 3 Projects
Grails 3 projects use the Gradle build system.
See the Alarm-cache Project for an example of grails 3 and SonarQube integration (http://10.91.100.112:8080/job/alarm-cache/):

build.gradle

  dependencies {
    classpath "org.grails:grails-gradle-plugin:$grailsVersion"
    classpath "org.grails.plugins:hibernate5:${gormVersion - ".RELEASE"}"
    classpath "org.grails.plugins:views-gradle:1.1.6"
    classpath "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.3"
  }
}
... 

apply plugin: "jacoco"
if (JavaVersion.current() == JavaVersion.VERSION_1_8) {
  apply plugin: "org.sonarqube"
  //Define sonar url and login token for all sub project
  //https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Gradle#AnalyzingwithSonarQubeScannerforGradle-AnalyzingMulti-ProjectBuilds
  sonarqube {
    properties {
      property "sonar.host.url", "http://10.91.100.110:9000/sonar"
      property "sonar.login", "cf6a76dc8f93946096c8c21e746e249e53d619dc"
    }
  }
}

Jenkinsfile.groovy

#!groovy
// Define versioning strategy
versionNumber = "0.1.0." + currentBuild.number
currentBuild.displayName = versionNumber
// ID of the Jenkins credentials for interaction with BitBucket
bitbucketCredentialsId = 'bitbucket'
// The hostname/path part of the git URL
repoLocation = 'bitbucket.org/errigal/alarm-cache.git'

...

stage('Unit Test') {
    try {
      sh './gradlew test --continue'
    } finally {
      // Archive test result so they are browsable from Jenkins
      step([$class: 'JUnitResultArchiver', testResults: '**/build/test-results/test/*.xml'])
    }
  }

  stage('Integration Test') {
    try {
      sh './gradlew integrationTest --continue'
    } finally {
      // Archive test result so they are browsable from Jenkins
      step([$class: 'JUnitResultArchiver', testResults: '**/build/test-results/integrationTest/*.xml'])
    }
  }

  stage('Coverage') {
    try {
      sh './gradlew jacocoTestReport'
    } finally {
      // Archive coverage result so they are browsable from Jenkins
      step([$class: 'JacocoPublisher'])
    }
  }

  stage('SonarQube') {
    sh "./gradlew sonarqube -Dsonar.projectVersion=$versionNumber"
  }
}

Jenkins 2 & Grails 3 integration