How to improve your code quality with SonarQube

SonarQube is a powerful open-source tool that helps you maintain code quality and security by analyzing your codebase for bugs and vulnerabilities. And it can play a major role when integrated into your CI/CD pipeline.

In this tutorial, we will cover:

1. What is SonarQube?

2. How SonarQube Improves Code Quality

3. Step-by-step Installation and Configuration

4. How to Run Your First Code Analysis

What is SonarQube?

SonarQube is an open-source tool that checks for code quality continuously. It analyzes code to find issues like duplication, bad practices, test coverage gaps, bugs, and vulnerabilities, giving detailed reports. It works with many programming languages like Java, C#, JavaScript, Python, TypeScript, and Kotlin.

You can add SonarQube to your CI/CD pipelines, IDEs, and version control systems like GitHub, GitLab, or Bitbucket. It provides detailed dashboards that show metrics, trends, and issues in your code.

You can use custom rules to enforce coding standards and reduce technical debt. SonarQube also supports code coverage analysis to help teams improve their tests. With the Quality Gate feature, teams can ensure only clean, maintainable code goes into production.

SonarQube offers both free and paid versions to suit any team size. Overall, it helps improve software quality and encourages good coding practices.

How Does SonarQube Improve Code Quality?

Here’s how SonarQube helps improve code quality:

1. Early bug detection: Identifies bugs before they reach production

2. Improved maintainability: Highlights code and design issues

3. Security insights: Identifies vulnerabilities and security risks

4. Code coverage: Integration with testing tools to monitor unit test coverage

5. Customizable rules: Allows teams to set coding standards and policies

6. Team collaboration: Ensures consistent code quality across development teams

Step-by-Step Installation and Configuration

Prerequisites:

Here are the prerequisites that you will need before installing SonarQube

1. Java Runtime Environment(JRE): Java 11 or above installed in your system.

2. System Requirements: 2GB RAM minimum (Recommended: 4GB+).

3. MacOS: You can use HomeBrew, which is the package manager for MacOS that simplifies the installation of software.

Below are the steps to install SonarQube in your local machine:

Download SonarQube

Download the software from sonarsource downloads and choose the Community Edition for open-source projects.

Extract and Configure

To install SonarQube, you need to run the below command to unzip the file:

unzip sonarqube-.zip
cd sonarqube-/bin/

Start SonarQube

On Linux/Mac, you need to run the below command:

./sonar.sh start

On Windows, you need to run this one:

StartSonar.bat

Access SonarQube

To access SonarQube, you need to open browser and go to: http://localhost:9000

Enter the default credentials:

• Username: admin

• Password: admin (you’ll be prompted to change it)

The page will look similar to below:

Set Up SonarQube in Your Project

To set up SonarQube in your project, start by opening the Java project on your machine. In the project root, create a sonar-project.properties file.

Add the below key value pairs in the file:

sonar.projectKey=spring-myproject
sonar.projectName=My Project
sonar.projectVersion=1.0
sonar.sources=.
sonar.host.url=http://localhost:9000

How to Run Your First Code Analysis

Configure and Run SonarScanner

SonarScanner is the tool that actually sends your code to SonarQube for analysis. Below are the detailed steps to follow to use it:

Install SonarScanner:

On Windows/Linux, download the software from SonarSource and unzip it:

unzip sonar-scanner-cli-.zip

On MacOS, run the below command:

>brew install sonar-scanner

For both Windows/Linux and MacOS, verify the install by running the below command:

>sonar-scanner -v

Configure SonarScanner

After installing SonarScanner, you’ll need to configure it by setting the SonarQube server URL and authentication token. Then go to your SonarQube profile (top-right corner > My Account > Security) and generate a token.

Provide a name for the token and click ‘Generate’:

In the sonar-project.properties file in your project, add ‘sonar.login’ property and save.

sonar.projectKey=test-project
sonar.projectName=Test Project
sonar.host.url=http://localhost:9000
sonar.login=

Run the Analysis

Once the SonarScanner is configured, you can start scanning your project.

In a terminal or command prompt, go to the root of your project (where sonar-project.properties is located).

Run the following command:

>sonar-scanner

SonarScanner will analyze your code and push the results to your local SonarQube server. Visit http://localhost:9000, and you’ll see your project listed on the dashboard.

To view the analysis report, go to http://localhost:9000/dashboard?id=java-sonar-demo:

If you go to the ‘Issues’ tab at top left corner, you can view different categories of Software Quality, Severity of the Issues, and various other attributes in your code.

Conclusion

Now you have installed and configured SonarQube and learned how to scan your code using SonarScanner. You can easily configure it in your projects for continuous code quality analysis.

This is a fantastic tool for keeping your code base clean and maintainable. As the next steps, you can consider adding test coverage reports, enforcing quality gates in your pipeline, and exploring SonarCloud for cloud-based analysis.

##