Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Continuous Inspection in a full stack project with SonarQube

849 views

Published on

A perfect article for the enthusiasts of software measurement and code quality. Contains broadened introduction and description of first experiences with the SonarQube tool. Explains in details configuration process, code evaluation and benefits from using Continuous Inspection in developers' daily work. Additionally, shows how to analyze a full stack project with a big part written in Typescript using the Angular2 framework.

Published in: Software
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download Full EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download Full doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download PDF EBOOK here { https://soo.gd/irt2 } ......................................................................................................................... Download EPUB Ebook here { https://soo.gd/irt2 } ......................................................................................................................... Download doc Ebook here { https://soo.gd/irt2 } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THIS can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THIS is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THIS Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THIS the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THIS Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Continuous Inspection in a full stack project with SonarQube

  1. 1. Continuous Inspection in a full stack project with SonarQube Pawe?Kozio? May2016 I am an enthusiast of softwaremeasurement and codequality. I will introduceyou to oneof our projectsand describe, why wethink wewill benefit from usingContinuousInspection in our daily work. Then I will motivatewhy wedecided to choose SonarQube. Thearticlewill also cover thedetailed technical setup of our SonarQube?sdeployment and our choiceof pluginsand sourcecodemetrics. And lastly, I will shareour opinion about thetool after the first week of usein theproject. I washappy when our client recently said they want to track metricsfor thesourcecodethat wedeliver, and I wasassigned with thetask of settingup atool for that. They needed aproof that thecodewas reliableand maintainableand that wecan keep its quality on thesamehigh level throughout the project. We?vealready had aCI/CD setup in our project. As part of our softwaredelivery pipelinewedo code review, run testsand do staticanalysis. Weuse Jenkinsand Gerrit for thispurpose. Wehaven?t however integrated any tool for trackingcode metricsjust yet. Toolsfor ContiuousInspection Thereareafew such toolsavailable, however, most of them areold and no longer maintained. Examples aretheQALab and theXRadar, which werelast updated morethan 7yearsago. I also knew SonarQubefrom my previousresearch on ContinuousInspection tools. It isopen source (LGPL v3license) and it isbacked by the SonarSourcecompany, so it can beused in arangeof editionsstartingfrom thefreeCommunity Edition up to theUltimateEdition with full support from SonarSource. ProgrammingLanguagesSupport SonarQubehassupport for morethan 20 programminglanguagesincludingJava, C#, C/C++ and Javascript. It analyzesthecodeand evaluatesits maintainability takinginto consideration tests, documentation, duplications, potential bugs, complexity and other aspects. It isvery common to set it up for Javaprojects. This time, however, wewanted to analyzeafull stack project with abigpart written in Typescript using theAngular2framework. I want to share with you Sparkbit?s approach to software quality assurance and our first experiences with the SonarQube tool.
  2. 2. At first, I wasworried, if it would bepossible. I saw that SonarQubehasbuilt in Javascript support, however, I knew that analyzingTypescript codeas Javascript would not bepossible. Typescript isa superset of JS, so JScodeisvalid TScodebut not the other way around. Then I found theSonarTsPlugin plugin on Github. Theauthor saysthat theplugin ispre-alphaand tested only on Windows, but thiswastheonly thing available, so I decided to giveit atry. Actually, thesetup waspainless. It sufficed to install Node.jsand TsLint, follow thesetup stepslisted on theplugin websiteand theplugin started to work right away on our Ubuntu setup. Hardwareand softwaresetup Talkingabout thesetup - for start weused a t2.medium machinefrom Amazon AWScloud which has4GBof RAM. I checked that SonarQubeneedsafew GBof memory. TheRequirementspagesaysthat ?The SonarQubeserver requiresat least 2GBof RAM to run efficiently and 1GBof freeRAM for theOS?. It also usesan SQL databaseand theElasticsearch engine. My calculation, therefore, wasthat I would give2GBfor SonarQube, 1GBfor theOSand 1GB for thedatabaseand Elasticsearch for astart. For now, thisisenough to support daily work of a10 person project team. If weever need to grow, wecan easily upgradethemachineto t2.largewith 8BGof RAM. Our detailed technical setup isthat wehavea PostgreSQL databaserunningasserviceand the SonarQubeinstancerunningin asupervisor process on an Ubuntu machine. Disk spaceshould not bean issue. I wasquitesurprised to read on the above-mentioned Requirementspagethat the?Nemo thepublicinstanceof SonarQube, hasmorethan 15 million linesof codeunder analysiswith 4yearsof history. Nemo iscurrently runningon an Amazon EC2c3.largeinstance, usingabout 10Gb of drive space?. Therefore, thedefault 80GBavailableby default with theAWSinstanceshould bemorethan enough for theSonarQubedataand theOS. By theway - thereisalso oneother publicinstanceof SonarQuberunningwith theSonarTsPlugin availablehere. It scansbigpopular TypeScript frameworks, includingtheAngular Framework, Microsoft Visual Studio Codeand theMicrosoft TypeScript Compiler. HavingtheSonarQubeup and running, I moved to theCodeanalysispart. I configured theGit plugin to accessour repo and aJenkinsjob on our CI server to trigger theSonar analysisonceaday. It wasalso interestingto find out that SonarSourceoffersfree and open sourceSonarLint IDEpluginsavailablefor Eclipse, IntelliJand Visual Studio. CodeEvaluation Thefirst analysisrevealed that our project hasabout 25KLOCof Typescript, Javascript, Javaand XML code. SonarQubehasfound morethan 800issuesin our code, most of them beingMinor or Major ones (about 300issuesin each category). Thiswasquitesurprisingbecausewerun Findbugs and TSLint on our codein theCI process, so we expected amuch better result. Better newswasthat thewholeTechnical Debt ratio waslessthan 1%and wegot theSQALE?A?rating, beingthetop of the scale. Wow! That wasapretty impressiveresult to get on thefirst run. TheTechnical Debt ratio calculation method is described on theTechnical Debt page. Let mejust say that thismetricmeanstheratio between theactual technical debt and theeffort it would taketo rewrite thewholesourcecodefrom scratch. TheSQALE(SoftwareQuality Assessment based on LifecycleExpectations) ratingisbased on the so-called ?Technical Debt Pyramid?. On the Technical Debt page, it isdescribed in full detail. In our caseit looked likethis: Lessthan 10man-daysto fix all technical dept - not too bad, isn't it?
  3. 3. Expectationsand Results Actually, theSonarQubeanalysisrevealed somemore interestingthings, wehaven?t known about our project or havesimply forgotten in thecourseof development. Onefindingwasthat acurrently inactivesub-project of thefront end part contained a longforgotten copy of thebackend! Sonar pointed it out immediately becauseon onehand it contained a lot of duplicates(obviously! becauseof thecode copy-paste) and lotsof codesmells(becauseit has been inactivefor quiteawhile). Nicethingto know! Another findingwasthat oneof our activefront end projectsactually had TSLint rulesviolations. I was surprised. How could thishavehappened, if TSLint waspart of our every build?Theanswer wasquite simple. Therewasabugin our gulp build files. Here thestrength of ContinuousInspection showsup. It is alwaysgood to havesometool look at thesoundness of your build. I remember astory from oneof my previousprojects, whereat thevery end of theproject I learned that the script executingall testshad abugin it, that caused thefinal test pass/fail condition alwaysto evaluateas true. Thiswaspretty scary becauseit meant that any potential test failswereactually left undetected. Luckily not so many of them actually failed unnoticed, but anyway wefaced somemomentsof fear when wefound out. So herein our current project, theonedirect action item wasto fix the TSLint rulesin thissubproject and fix thebuild script. Thecopy-pasted backend codewasactually excluded from theproject and after that, our Technical Debt ratio dropped to 0.7%. Project sizealso dropped to about 19KLOC. Hereareour detailed statistics: A number of issuesarealittlemorethan 600and wehave4%duplications.
  4. 4. Thisisthebreakdown of issuesby categories: These5blockersarerelatively easy to fix, so afew hoursof work should saveus from thescariest bugs. Hereisalook at theseissuesfrom another perspective: Notethat after excludingthedead backend part from theproject, thetechnical debt dropped by 2days. I?vealso added thehistory view to our project?sdashboard to track how metrics?valueschangeover time. Thisway it iseasy to noticewhen someduplicationssuddenly appear or disappear from theproject. Thereis only oneslight flaw in thisdiagram. When both LOCand complexity arepresented, thelow complexity values(6.5compared to LOCof >20.000) areinvisible.
  5. 5. SonarQubealso hasnicebubblechartsthat allow trackingthemost troublesomefilesby comparingthe number of issues(Y axis) with thefilesizein LOC(X axis). Each bubbleon thechart representsa particular filein theproject and itsdiameter is proportional to thenumber of issuesin thisfile. Conclusion Summingup, we?vebeen usingSonarQubein our project for aweek now. Installation wasvery easy and painless. Already on thefirst day, SonarQube pointed out to uslongforgotten, smelly areasin our repo. And it found 5new critical issues, that our staticanalysisleft unnoticed. It isdefinitely worth to havesuch aContinuousInspection tool in the development pipeline. What?sstill in front of usisto set up trackingtests resultsand codecoverage. Wealso want to look for new pluginsthat might beuseful for us. What areyour experienceswith Continuous Inspection?Do you useSonarQubeor maybesome other tools?Do you know any good pluginssuitable for full stack projects?We?d loveto hear your opinions!
  6. 6. CONTACT pawelk@sparkbit.pl www.sparkbit.pl @_sparkbit_

×