SonarQube is an open source platform for continuous inspection of code quality. It uses static code analysis to generate software metrics and detect issues like bugs, vulnerabilities, and code smells. These issues are tracked over time to help developers fix problems early when they are cheap to address. SonarQube integrates with development tools and pipelines to perform analysis on commits and reject code that does not meet quality standards. This provides continuous feedback on code quality and helps enforce good development practices across teams.

1. Continuous Inspection
of Code Quality
SonarQube: An Open Source - Code Analysis Platform
Emre Dündar
23.08.2017 – QAIst Meetup

2. Emre Dündar
 Release Manager @Product Development Unit
@Ericsson R&D - Turkey (2017 - ...)
 Configuration Engineer @SDLC Tools & DevOps Unit
@SoftTech (2014 - 2017)
www.linkedin.com/in/emredundar
emredundar.e@gmail.com
https://emredundar.github.io/

3. Continuous - X
• Continuous integration
• Continuous delivery
• Continuous testing
• Continuous deployment
• Continuous improvement
Continuous inspection

4. Continuous Inspection /
• A new approach to code quality management
• Code quality as a part of Software Development Life Cycle (SDLC)
• A clear view of software quality for all stakeholders
• Continuous feedback about software quality
• Obtaining the ability of better software development practices

5. Continuous Inspection /
... but how?
• On-the-fly: Fix issues before they exist.
• Integration: Analyse on the CI / DevOps pipeline.
• Quality Gates: Reject if not ok.
• Track issues: Track the issues on new code (who committed the issue?)

6. The value of continuous inspection is to find the issues
while it is easy and cheap to fix.

7. Continuous Inspection /
Continuous inspection of source code quality

8. Continuous Inspection /
... how?
Static code analysis
 Analyse source code without execution
 Generate software metrics

9. Software Metrics
... how to generate?
 Software metrics are generated by matching the measurable properties of software with
numbers.
... purpose?
 to measure software quality
 to find problematic units
 to predict the future of software product

10. Software Quality Metrics
 Subcomponents of software quality
 What & how to measure?
 Metric x Quality relations
Software Quality Model

11. Software Quality
Model
- McCall, J. A. (1977)
- Boehm (1978)
- Consortium for IT Software
Quality (CISQ)
- International Standards (ISO,
IEEE...)

12. Software Quality Metrics
Size metrics / lines of code, classes, functions, files...
Test metrics / unit tests, line coverage...
Complexity / cyclomatic complexity, complexity per function...
Duplications / duplicated blocks, duplicated lines (%)...
Issues / blocker, critical, major, minor, info / Code smells, bugs, vulnerabilities
Technical Debt /

13. Static Code Analysis
 Readable code
 Maintainable code
 Documented code
 Low complex code
 Coding standards
 High performance code
 Secure code
 Stable code
 Reviewed code
 Technical debt under control
 Clean code

14. Technical Debt
Kitchen metaphor
Day 1

15. Technical Debt
Kitchen metaphor
Day 2

16. Technical Debt
Who will clean?..
Software perspective:
Lack of time + new requests +
new bugs + ...
Does it work? Yes, go on...

18. Code quality must be the concern of all team,
not just some specialist.

19. .. there is a need for an assistant...

20. SonarQube is not just a tool, it is a platform.

21. Continuous code quality online

22. SonarQube: Architecture
- SonarQube Scanners don't need to be on the same network as the SonarQube Server.
- There is no communication between SonarQube Scanners and the SonarQube Database.
- SonarQube Scanners scale by adding machines.

23. SonarQube: Issue cycle

24. Languages / 20+
Java
JavaScript
PHP
Python
Web
Xml
Android
C#
C/C++ *
Objective-C *
Swift *
PL/SQL *
COBOL *
...

25. Overall Health
Look for general results…

26. Leak
Fix the leaks…

27. SonarQube
Scanners
 Maven
 Gradle
 Ant
 MSBuild
 Jenkins
 CLI
> mvn clean install sonar:sonar
> cd mySourceCode
> sonar-scanner -Dproject.settings=myproject.properties

28. SonarQube: Rules
Rulesets for each languages
3 main categories: Bugs, vulnerabilities, code smells.
Coding standards
 OWASP, CWE, CERT, MISRA... (Security vulnerabilities)
 Checkstyle (Conventions, coding rules)
 PMD (Bad practices, potential problems)
 FindBugs (Potential bugs)
 ......

30. http://localhost:9000/coding_rules#languages=java|severities=BLOCKER|types=BUG|tags=cert

31. Issues
 Code Smells
 Bugs
 Vulnerabilities

33. SonarQube on DevOps pipeline

34. SonarLint
 on-the-fly usage over IDEs
 Connect to your own
SonarQube server
 Working with online rulesets
http://www.sonarlint.org/

35. Pull Request
Github, TFS, Bitbucket

36. Quality Gates
Don’t get commits in from the
gate which brings new
vulnerabilities, high technical
debt, low code coverage…
https://next.sonarqube.com/sonarqube/quality_gates/show/7

37. Webhook - integrations
Trigger other systems via Webhooks
• Trigger an alerts
• Update a field
• Post a message to a chat room
• Send an e-mail
• Create a ticket
• ....

38. • Jira ticket
• Email
• Slack message

39. Demo: SonarQube
SonarQube, SonarLint, VisualStudio, VisualStudio Code, Eclipse, Gitlab, Jenkins, Slack...

40. References
• https://www.sonarsource.com/
• https://www.sonarqube.org/
• http://www.sonarlint.org/
• Continuous Inspection, Olivier Gaudin - https://www.sonarsource.com/resources/white-papers/continuous-
inspection.html
• Technical Debt, Patroklos Papapetrou - http://thinkapps.com/blog/tag/technical-debt/
• Metric definitions - https://docs.sonarqube.org/display/SONAR/Metric+Definitions

41. Contact info: www.linkedin.com/in/emredundar
emredundar.e@gmail.com
https://emredundar.github.io/
Emre Dündar