Continuous Code Quality with the Sonar Ecosystem @GeeCON 2017 in Prague

Continuous Code Quality with the SonarEcosystem
Roman Pickl (roman.pickl@fluidtime.com)

Fluidtime
Enabling Smart Mobility.
© 2017 Copyright Fluidtime Data Services GmbH
At a glance
- 10+ years’
experience in
integrating transport
systems
- 22 mobility Apps in
the stores
- 43+ million requests
/ month
- 500.000+ unique
users / month
qando
Vienna, Linz, Graz,
Salzburg, Klagenfurt.
SMILE
Lighthouse project for
integrated mobility
Wien Mobil Lab
Vienna
FluidHub
Powering the Integrated Mobility and MaaS Ecosystem
2009
avv connect
Aachen Region, North
Rhine-Westphalia.
2014
NUMO
Vienna
2012 2015 2016

Fluidtime
How did I end up here?
- Roman Pickl (@rompic)
- CTO @ Fluidtime
- In charge of the technical development
- Using SonarQube since 2013
- Attended GeeCON Prague 2016
- Liked it and applied for GeeCON Prague 2017
- Here to learn

Fluidtime
Agenda
- Code Quality
- Continuous Inspection with Three Lines of Defense
• Pre-Commit Analysis: SonarLint
• Pull Request Analysis
• SonarQube: Managing the Leak / Quality Gates and more
- Learnings
- Summary
- Demo
- Additional Resources

Fluidtime
What gets measured gets managed
I often say that when you can measure what you are speaking
about, and express it in numbers, you know something about
it; but when you cannot express it in numbers, your knowledge
is of a meagre and unsatisfactory kind; it may be the beginning
of knowledge, but you have scarcely, in your thoughts,
advanced to the stage of science, whatever the matter may
be.
- William Thomson, 1. Baron Kelvin
https://athinkingperson.com/2012/12/02/who-said-what-gets-
measured-gets-managed/

Fluidtime
Software Product Quality > Code Quality
www.mif.vu.lt/~sigitas/Quality/04_SQuaRE.ppt
ISO software quality model (ISO/IEC 25010)

Fluidtime
SQALE Model (Technical Debt Pyramid)
- Testability Index
- Reliability Index
- Changeability Index
- Efficiency Index
- Security Index
- Maintainability Index
- Portability Index
- Reusability Index
https://en.wikipedia.org/wiki/SQALE

© 2017 Copyright Fluidtime Data Services GmbH | www.fluidtime.com
Fluidtime
http://www.osnews.co
m/story/19266/Smells_
m

Fluidtime
SonarQube quality model
- Evolved SQALE model
- Bugs, Vulnerabilities and Code Smells are 1st class citizens
• Bugs: Code that is demonstrably wrong or highly likely to yield unexpected
behaviour.
• Vulnerabilities: Code that is potentially vulnerable to exploitation by hackers.
• Code Smells: Will confuse maintainers or give them pause.
- Not only ratings, but also approximate remediation efforts.
https://blog.sonarsource.com/bugs-and-vulnerabilities-are-1st-class-citizens-
in-sonarqube-quality-model-along-with-code-smells/

Fluidtime
© 2017 Copyright Fluidtime Data Services GmbH http://www.sasqag.org/pastmeetings/QualityPlans.pdf

Fluidtime
Catch those bugs early in the process
September 9, 1947
„At 3:45 p.m., Grace Murray Hopper
records the first computer bug in her log
book as she worked on the Harvard Mark
II“
http://www.computerhistory.org/tdih/September/9/

Fluidtime
SonarLint
https://blog.sonarsource.com/putting-it-all-together-end-
to-end-quality-with-sonarecosystem/
Pull RequestCode Locally Trunk Release1 2 3
Three Lines of Defense

Fluidtime
First line of defense : SonarLint (by SonarSource)
- Extension of your IDE
- LGPL v3
- On-the-fly feedback
- Pre commit analysis
(Fix issues before they exist)
- Local or connected mode
- Included languages
• Local: Java, JS, PHP, Python,
.NET
• More with connected mode
http://www.sonarlint.org/

Fluidtime
SonarLint for IntelliJ

Fluidtime
SonarLint Connected Mode
- Bind to project on SonarQube
server
- Use analyzers, quality profiles &
settings from your SonarQube
server
- Shared Custom Rule Sets
- Support for additional languages
(not all plugins!)

Fluidtime
Pull Request
AnalysisSonarLint
X
Pull RequestCode Locally Trunk Release
1 2 3

Fluidtime
Pull Request Analysis (GitHub (SonarSource), BitBucket/Stash & GitLab
(Community))
- SonarQube Server must be up and running.
- Plugin installed on SonarQube Server
- Run for each commit / pull|merge request
- Preview analysis
- Adds an inline comment for each issue
- Adds a global summary
- Updates the status of the analysis
- Human reviewer can focus on other issues

© 2017 Copyright Fluidtime Data Services GmbH | www.fluidtime.com
Fluidtime
https://gitlab.talanlabs.com/gabriel-allaigre/sonar-gitlab-plugin
Run: mvn --batch-mode verify sonar:sonar -Dsonar.host.url=$SONAR_URL -
Dsonar.analysis.mode=preview -Dsonar.gitlab.commit_sha=$CI_BUILD_REF -
Dsonar.gitlab.ref_name=$CI_BUILD_REF_NAME -
Dsonar.gitlab.project_id=$CI_PROJECT_ID
Setup GitLab in SonarQube Link the project in SonarQube to GitLab

Fluidtime
Links to plugins (not all of them are in the SonarQube update center yet)
- GitHub: https://docs.sonarqube.org/display/PLUG/GitHub+Plugin
- BitBucket: https://github.com/mibexsoftware/sonar-bitbucket-plugin
- Stash: https://github.com/AmadeusITGroup/sonar-stash
- GitLab: https://github.com/gabrie-allaigre/sonar-gitlab-plugin

Fluidtime
Pull Request
Analysis
Quality Gates
& Fixing the
leak
SonarLint
X X
1 2 3

Fluidtime
SonarQube Server (Developed by SonarSource; GNU LGPL v3)
- 20+ languages
- Wide range of plugins (Auth, SCM, Language, External Analyzers, …)
• external Analyzers like Findbugs/PMD; Most of the functionality already included in
SonarJava analyzer (https://blog.sonarsource.com/sonarqube-java-analyzer-the-
only-rule-engine-you-need/)
- 2 Versions
• Latest (Always in the middle of a major refactoring; Next LTS forecast October-
2017)
• LTS (use this if you apply any community plugins)
- Also available as a service (free for open source projects)
https://blog.sonarsource.com/walking-the-tightrope-balancing-
agility-and-stability/

Fluidtime
SonarQube 6.5 (latest)

Fluidtime
Architecture
https://docs.sonarqube.org/display/SONAR/Architecture+and
+Integration

Fluidtime
Quality Gates I
- Best way to enforce a quality policy in your organization
- indicates whether your project is releaseable
- collection of go/no-go conditions
- Each gate condition is a combination of :
• Measure
• period: Value (to date) or Leak (differential value over the Leak period)
• comparison operator
• warning value (optional)
• error value (optional)
https://docs.sonarqube.org/display/SONAR/Quality+Gates

Fluidtime
Quality Gates II

Fluidtime
Fixing the leak
- Do you reach for the mop?
- Or do you try to find the
source and fix it?
à Clean up as you update and
refactor your code over time
https://docs.sonarqube.org/display/HOME/Fixing+the+Water+Leak

Fluidtime
Fix the leak

Fluidtime
Detailed information about bugs found / committers / coverage / effort to
fix etc.

Fluidtime

Fluidtime
Cool stuff in the SonarEcosystem I: „Tricky Bugs are Running Scared“
https://blog.sonarsource.com/sonaranalyzer-for-java-tricky-bugs-are-
running-scared/

Fluidtime
Cool stuff in the SonarEcosystem II: „Cognitive Complexity“
https://blog.sonarsource.com/cognitive-complexity-because-
testability-understandability/
https://www.youtube.com/watch?v=x5V2nvxco90&feature=y
outu.be&list=PLSNlEg26NNpy1RjhlISNMRNO1gypYaXHo
https://www.sonarsource.com/docs/CognitiveComplexity.pdf

Fluidtime
Cool stuff in the SonarEcosystem III: highlighting of the exceptional path
when reporting issues (SonarJava 4.13)
https://www.sonarsource.com/resources/produ
ct-news/news.html#sonarjava-414

Fluidtime
Some more goodies
- Owasp 10 dependency check plugin:
https://github.com/stevespringett/dependency-check-sonar-plugin
- Java 9 support (since SonarJava 4.11):
https://www.sonarsource.com/resources/product-
news/news.html#sonarjava-4.11-released
- Scala analysis: http://www.openforce.com/2017/02/sonarqube-with-
scala/

Fluidtime
Pull Request
Analysis
Quality Gates
& Fixing the
leak
SonarLint
X X X
1 2 3

Fluidtime
Last Bastion – Break the build (Not always a good idea)
- Since 5.2 SonarQube analysis is asynchronous so you have to wait for the
result:
- Alternatives: Make quality gate failures visible (information radiators), Issue
notifications
https://blog.sonarsource.com/why-you-shouldnt-use-build-breaker/
https://www.sonarsource.com/resources/product-news/2017/02/2017-
02-28-sonarqube-scanner-for-jenkins-2.6-released.html

Fluidtime
Learnings
- Green field projects: Start early, Legacy projects: Don‘t try to fix
everything– Fix the leak / exclusions / different quality profiles
- Cultural change - Not everyone loves transparency
- Good to have: Objective instance (Best Practices) with detailed
explanations (Stick to the default rules as long as possible)
- File false positives (create trust in the system; or at least make it difficult
to blame SonarQube), maybe you‘ll even learn something
- Restore build in profiles after update (to enable newly added rules)
- Use LTS if you use any community plugins (or check compatibility)

Fluidtime
Just one tool in your belt
https://smartbear.com/SmartBear/media/ebooks/State-of-Code-
Quality-2016.pdf

Fluidtime
Summary
- Code Quality is just one, important, aspect of software quality
- Continuously inspect your code.
- Start with SonarLint, today!
- Look into Pull Request Analysis and Quality Gates with SonarQube
- Explore capabilities and extend functionalities with plugins
- It’s “just” a very powerful tool and no silver bullet solution

Fluidtime
Demo
1. Start SonarQube Server locally: docker run -p 9000:9000 -p 9092:9092
sonarqube:6.5
2. git clone https://github.com/SonarSource/sonarlint-intellij.git (or any other
project with some issues / tests where SonarQube plugin is set up)
3. Show SonarLint in IntelliJ (Preferences ->Plugin, Add a //TODO/BUG, Show
Explanation / Analyse open Files, All Files / Changed Files; Bind to Server
Dialog)
4. (Show example for pull request analysis: E.g.
https://github.com/SonarSource/sonarqube/pull/1750)
5. Run ./gradlew check buildPlugin sonarqube in the sonarlint-intellij project
6. Increase version in gradle.properties and run again
7. Browse to http://localhost:9000/ (admin/admin)
8. Show SonarQube GUI

Fluidtime
Additional Resources
- Docs: https://docs.sonarqube.org
- Blog: https://blog.sonarsource.com/
- Twitter: https://twitter.com/SonarQube
- Stackoverflow: http://stackoverflow.com/questions/tagged/sonarqube
- Mailing List: https://groups.google.com/forum/#!forum/sonarqube
- Roadmap: https://www.sonarqube.org/roadmap/
- Online Service (Free for open source projects): https://sonarcloud.io

Fluidtime
Contact
Roman Pickl (@rompic)
roman.pickl@fluidtime.com
Fluidtime Data Services GmbH
Neubaugasse 12-14/25
A–1070 Wien
Tel +43 (0)1 5860 180
www.fluidtime.com

Fluidtime
Additional References (where not indicated on the slide)
- slide 12,16,20,37: All Images from the noun project
(no changes made)
- Alexander Skowalsky, „Servers“,
https://thenounproject.com/search/?q=server&i=573662
Danil Polshin, „Developer“,
https://thenounproject.com/search/?q=developer&i=597289
Blake Stevenson, „Bug“,
https://thenounproject.com/search/?q=bug&i=781390
Oliviu Stoian, „Bed Bug“,
https://thenounproject.com/search/?q=bug&i=902732
- All Icons Licensed CC BY 3.0:
https://creativecommons.org/licenses/by/3.0/us/

Continuous Code Quality with the Sonar Ecosystem @GeeCON 2017 in Prague

Continuous Code Quality with the Sonar Ecosystem @GeeCON 2017 in Prague

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Continuous Code Quality with the Sonar Ecosystem @GeeCON 2017 in Prague

Similar to Continuous Code Quality with the Sonar Ecosystem @GeeCON 2017 in Prague(20)

More from Roman Pickl

More from Roman Pickl(8)

Recently uploaded

Recently uploaded(20)

Continuous Code Quality with the Sonar Ecosystem @GeeCON 2017 in Prague