SonarQube in Java

SonarQube is an open-source static testing analysis software. Developers use it to manage source code quality and consistency. Some of the code quality checks are:

1. Potential bugs
2. Code defects in design
3. Code duplication
4. Lack of test coverage
5. Excess complexity

Static testing

It is a debugging method that examines source code before the program is run, that is, testing the code without executing it. It does so by analyzing the code against a pre-set of coding rules and ensuring that it conforms to the guidelines.

The developer writes the code, and while he is writing it, a static testing tool reads through it and then analyses it.

After it is done, if an error is found, it informs the developer about it, and then the developer can fix it right there.

Static code analysis

Many tools help in static testing and provide an analysis for better comprehension.

We previously discussed that static testing takes the code while it is being written and then analyses it.

When we take the example of SonarQube, while the developer is writing the code, SonarQube goes through the code and based on the set of already predefined rules, sees whether the testing standards are performed or not.

Static testing happens only during development, whereas in dynamic testing, the testing happens during execution.

Static testing is early testing which is not precisely done by the testers and is done by a static testing tool.

Features of SonarQube

It can work with 25 languages like Java, .NET, COBOL, PHP, Python, C++, JS, Ruby, Kotlin, and Scala.

It is used to find tricky issues, and there can be many types of challenging problems, and they are:

• Detect bugs: SonarQube can detect tricky bugs or raise issues on pieces of code that it thinks is faulty.
• Code smells: Code smells are a code's characteristics that indicate that the code might cause a problem in the future.
  But smells are not necessarily bad, sometimes they are how the functionality works, and there is nothing that can do about it.
• Security vulnerability: SonarQube can detect security issues that a code may face.
  Example: If a developer forgets to close an open SQL database or if important details like username and password have been directly written in the code.
  If the website or the application is hacked, then the hacking another person can figure out these details, access more company applications, and cause a lot of damage; to solve this, SonarQube can identify these errors.
• Activate rules needed: We can create and maintain different sets of rules specific to projects, known as Quality Profiles.
  If a team has some standard rules that it wants to follow for doing specific projects, it creates a quality profile on SonarQube.
  When a developer writes a code, the quality profiles will test against the code written. If the developer is not following the quality profiles, then SonarQube will inform the developer about it.
• Execution path: Whenever there is data flow in our program, there is a lot of involvement between the different modules. SonarQube can figure out if there are any tricky bugs in these execution paths.
  When a company works on an application, it will have a code pipeline and data flow in the program. When SonarQube integrates with Jenkins or any deployment tool, it works by itself and keeps looking for errors. Sometimes, SonarQube can figure out tricky bugs if there are in these pathways.
• Enhanced workflow (Ensure better CI/CD)
  It keeps working in the background from the development phase, monitoring and identifying errors.
  SonarQube can be automated by integrating with a deployment tool and will keep working in the background identifying all the errors; the code smells technical depth by itself.
  To initiate tests, we do not need to come to SonarQube directly; we can do that through an API call.
  If we do not want to install SonarQube directly, we can use an API or a webhook to call it and test our program with it.
  It can be directly integrated with our choice of version control software.
  Example: GitHub
  SonarQube can integrate with GitHub and then find errors in the versions of the code we are using or the code we are developing.
  It gives us a branch-level analysis; that is, it does not analyze the main branch; it also explores the other branches, identifying any errors.
• Built-in methodology: It can show the memory leak in our application if it tends to go out of memory, which generally will happen slowly over time.
  It has a good way of visualizing and gives simple overviews of the overall health of the code.
  When the recorder has developed the code for some time, an accurate report of how the core has been performing can be created by the SonarQube, and it will be presented on the dashboard. So, the team lead or the developer can go through it and tell them about the number of bugs and number of code smells or any security issues that are there; all these will be known to the developer, and it enforces the quality gate, and we can tell that SonarQube is based on our requirements and practices that what code is wrong and what is correct.
  If it shows a problem, SonarQube allows us to go and directly check it out from the summary report or from one code file to another.
  It has a plugin called "SonarLint", which helps SonarQube integrate itself with an IDE, so there is no need to install the whole SonarQube package.

SonarQube Installation

Initially, there are three steps for installation:

1. Install Doker and pull SonarQube image
2. Setup SonarQube on the browser
3. Download sample code and analyze it on Sonar.

Install Doker to make the usage of Sonar easy

SonarQube setup

First, we need to open the website named sonarqube.org, and we have many options like products, what's new, documentation, community, and a download button. We can download the executables of SonarQube.

We will check the documentation part where we want to see the requirements. So, in the left panel, we have a requirements session, and in that, we have prerequisites and an overview, and it mentioned that we could either use oracle orJRE or open jdk with version 11.

We also have supported web browsers like google chrome, Microsoft edge, Mozilla Firefox, etc.

Different Components of SonarQube

On the same page that we opened above, in that click on setup and upgraded, we have an option called install server, and we can see a diagram over there which shows the different components of SonarQube and the communication between them.

We have a scanner component, a SonarQube server, and a database server. We go through each element and know about each in depth.

SonarQube Server

1. A web server that serves the SonarQube user interface
2. A search based on elastic search
3. The compute engine is in charge of processing code analysis reports and saving them in the SonarQube database.

In the database server, we store all the metrics, issues, or analysis reports for a project. This database will show all the information on the SonarQube dashboard.

The scanner component scans our project, and these reports are sent to the SonarQube server; this scanner is included either in the build or in the continuous integration tool.

Setting up the SonarQube Server

We can download SonarQube in google chrome, and for this, we have the sonarcube.org website; and when we open that link, we have many editions like community, developer, enterprise and data center, and we use only the default one called community and click on download for free, and it will allow us to download.

When our zip file is downloaded, we must unzip that file, and then it will show us how it looks, and we have kept it in the SonarQube directory.

When we go inside the folder, we see many options like bin, conf, data, and other logs.

First, we need to edit the configuration, but before editing the configurations, we have to make sure that whatever requirements or dependencies we see are required should be there. For this, we need to have java 11 present in it.

Apart from java, we also need to have a database server. For that, we have Postgres SQL 11.

When our JDK and databases are in place, then we are good to edit the configurations.

From there, we have two different files one is the sonar property, and the other is the wrapper.conf.