SonarQube is a tool that enables continuous inspection of code quality. It analyzes code for bugs, vulnerabilities, and code smells based on configured rules. The analysis is integrated into development pipelines so that quality feedback is immediately available. SonarQube provides metrics on key aspects of quality like technical debt, bugs, code coverage, and duplications to help teams improve their code. It supports over 25 programming languages and has extensible plugin architecture.

1. SonarQube & SonarCloud
CONTINUOUS INSPECTION OF CODE QUALITY

2. Code Quality
Will be part of code testing in Continuous Integration
Gives metrics on Code quality and Standards
Many tools like SonarQube, Apache Yetus, Facebook Infer, Protecode, etc.,
Many of these tools integrates with IDEs like Eclipse, Visual Studio, IntelliJ etc.,

3. Development Source Control System
build
product deployment
Quality
check
Rules

4. Seven Axis of Quality
 Potential bugs
 Coding rules
 Tests
 Duplications
 Comments
 Architecture and design
 Complexity

5. SonarQube
Plays role of Continuous Inspection
Controls the quality of the code
Supports 25+ languages
Provides report on
◦ Duplicate code
◦ Coding Standards
◦ Code coverage
◦ Code complexity
◦ Comments
◦ Bugs
◦ Security vulnerabilities

7. SonarQube Architecture
Compute Engine
Search Server
Elastic Search
Webserver
Plugin
Database
(MySQL, Oracle,
Postgre, MS SQL)
SonarQube
Scanner
-> for Ant
-> for Maven
-> for Gradle
-> for Jenkins
-> for MS Build
Java
C #
VB .Net
C/C++
JavaScript
HTML
Scala
PHP
Python
25+ Languages

8. SonarQube Server
Web Server :
◦ For developers, managers to browse quality snapshots
◦ Facilitate configuration of SonarQube instance
Search Server :
◦ Powered by Elastic search
Compute engine :
◦ Takes care of processing code analysis report
◦ Saving the analysis report in database

9. SonarQube Database
Only one instance exists
Supports Oracle, MySQL, MSSQL and Postgre
Comes with built in database for testing purpose
Stores quality snapshots, views, rules, gateways, etc

10. Plugins
Comes with multiple builtin plugins for
◦ Language analysis
◦ SCM (Source Code Management) integration
◦ Authentication and Authorization integration
◦ Governance and external quality tools integration
◦ Custom plugins as per organization requirement

11. Sonar Scanner
Stand alone sonar scanner
Sonar Scanner integration with
◦ Maven
◦ Ant
◦ Gradle
◦ MSBuild
Integrates and gets triggered with CI Servers like Jenkins

12. Code Flow
and Analysis
Pipeline
Code in IDE
Use SonarLint
for local
analysis
Push code to
SCM
CI Server
Automatic
Build
Sonar Scanner
runs analysis
Analysis report
sent to server
Server Process
analysis report
Stores result in
Database
Developers
review,
challenge
Developers
Reduce
Technical Debt
Managers,
Devops access
report
Approve
change

13. SonarQube Integration Pipeline
•Realtime Analysis
SonarLint
•SVN, Git, CVS, Clearcase
SCM
•Jenkins, Bamboo, Teamcity
Continuous Integration
•External Report, JMX, API
SonaQube Server

14. Download
SonarQube Server
Download sonarqube from https://www.sonarqube.org/downloads/
Needs Java 8 (Oracle JDK 8 or Open JDK 8)
Sonarqube comes with different flavors (Community, Developer, Enterprise, Data Center Edition)
Sonar Scanner
Download Sonar Scanner from
https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner

15. Sonar Server Installation
Unzip server and runner in any desired location
Environment variables : SONAR_HOME
PATH : %SONAR_HOME%bin<Operating System Arch>
Execute : StartSonar.bat
Sonar server Web Interface : http://<hostname>:9000/
Default credentials : admin/admin

16. Sonar Scanner Installation
Environmental Variable : SONAR_SCANNER_HOME
E.g.: C:Program Files (x86)sonar-scanner-x.y
PATH : %SONAR_SCANNER_HOME%bin
Update the global settings (database connection, server URL) : sonar-scanner.properties
E.g.: <Sonar_scanner_installed_directory>/conf/sonar-scanner.properties

17. Analyzing with SonarQube Scanner
Setup sonar-project.properties
Setup following properties
◦ sonar.projectKey
◦ sonar.projectName
◦ sonar.projectVersion
Execute sonar-scanner.bat

18. SonarQube Server
9000
Code Base (Java)
Sonar Scanner

19. Gradle Sample Properties

20. Jenkins
SCM Build Deployment
Quality Check

21. Complexity
Two types
◦ Cyclomatic Complexity
◦ Cognitive Complexity
Gives a guideline on number of paths code gets through
For every split complexity gets increased
More the complexity in a method/function means more business logic built into
it.
Functions with bigger complexity value is a good candidate for
refactoring/broken down to pieces
Functions / files with bigger complexity may need extended testing

22. Cyclomatic Complexity
• Cyclomatic Complexity works very well for measuring
testability, but not for maintainability
• Doesn’t gives the measure on complexity of the code in
human perspective

23. Cyclomatic Complexity

24. Cognitive Complexity
• Increment when there is a break in the linear flow of the code
• Increment when structures that break the flow are nested
• Ignore "shorthand" structures that readably condense multiple lines
of code into one
• Tells you how many test cases are needed to cover a given method

25. Cognitive Complexity

26. Default Maintainability Rating
 <=5% of the time that has already gone into the application, the rating is A
 between 6 to 10% the rating is a B
 between 11 to 20% the rating is a C
 between 21 to 50% the rating is a D
 anything over 50% is an E
 The rating is determined by the value of the Technical Debt Ratio, which compares the
technical debt on a project to the cost it would take to rewrite the code from scratch.
Example: assuming the development cost is 30 minutes, a project with a technical debt of
24,000 minutes for 2,500 LOC will have a technical debt ratio of 24000/(30 * 2,500) = 0.32.
That yields a maintainability rating of D.

27. Default Reliability Rating
A = 0 Bugs
B = at least 1 Minor Bug
C = at least 1 Major Bug
D = at least 1 Critical Bug
E = at least 1 Blocker Bug

28. Default Security Rating
A = 0 Vulnerabilities
B = at least 1 Minor Vulnerability
C = at least 1 Major Vulnerability
D = at least 1 Critical Vulnerability
E = at least 1 Blocker Vulnerability

29. Bugs

30. Vulnerabilities

31. Code Smells

32. Coverage

33. Duplications

34. Plugins

35. Quality Concepts
Bug - Something wrong in the code.
Code Smell - maintainability-related issue
Remediation Cost - Time required to fix Vulnerability and Reliability Issues
Technical Debt - Time required to fix all Maintainability Issues / code smells
Issue - piece of code does not comply with a rule (Bugs, Code Smells and Vulnerabilities)
Measure - Value of a metric
Snapshot - A set of measures and issues on a given project at a given time
Vulnerability - A security-related issue which represents a backdoor for attackers
Quality Gate - A way to enforce quality policy in a project or organization

36. Issues

37. Rules

38. Quality Profiles

39. Quality Gates