Code Quality with SonarQube on Windows
As a software developer, it is a nightmare to deal with low-quality code. You spend a lot of time trying to understand the code and fixing it. Good quality codes are readable, it has a proper indentation, and it is simple. Notations and names are descriptive. And implementing changes to the new code is not so hard.
What is SonarQube?
SonarQube is used as a code quality tool. It collects and analyzes your source code and creates reports about the code quality of the project. By the reports provided, developers can see the bugs, security issues and fix them before deploying to the production environment. With SonarQube the quality of code can be measured continuously over time. It is good for detecting code complexity, reduces time and cost of maintenance, and helps develop readable codes. It is an open-source framework. It is available for free under the GNU Lesser General Public License, but you should pay for the enterprise edition. SonarQube is fully integrated with DevOps and can be also used with Jenkins and gives support to languages, including C#, Java, Python, Php, Go, Ruby, Html, Javascript.
For more information please visit SonarQube
SonarQube setup for win 10
You can download SonarQube from SonarQube-Download. We will use the community edition. By the time, we write this tutorial, SonarQube use Java version 11. So you have to download and install Java version 11. Also, maven is needed to analyze our code. So our download list is as follows:
- JDK-11.0.13_windows-x64_bin.zip
- apache-maven-3.8.4-bin.zip
- sonarqube-9.2.1.49989.zip
- Sample application (student)
Extract the zip files to a directory and set the environmental properties for windows.
And also please don’t forget to add executables to the windows system path. Check your java and maven version from the command prompt. If it is set correctly, Find StartSonar.bat and execute it from the SonarQube installation directory.
By default, SonarQube runs on port 9000. To change the default port, we should edit the conf/sonar.properties file. We can change the port to XXXX, by modifying the line sonar. web.port=9000 When you go to link localhost:9000, you will see SonarQube’s login page. Default admin credentials are:
- Login: admin
- Password: admin
For testing purposes, we have created a student spring boot project. The project has an embedded h2 database. There are students and lecturers as entities. We get the student names, by using rest services. Also, some unit tests were added to the project. We created a utility class with some non-compliant code examples. Also, some unused imports and classes are available. But before this, we have to modify our student project. We will be adding the following lines to our pom.xml file.
Now we are ready to create a new project from the SonarQube web page that runs on our localhost.
Now we are ready to open the command prompt as an administrator. Paste and execute the code. It will be analyzed and reports will be available for us from SonarQube’s web interface. When the execution finishes successfully, open the http://localhost:9000/projects link. You will see the project name and the summary of the analyzes. From the web interface, we will be able to see some categories, related to our student project. The categories can be listed as Bugs, Vulnerabilities, Security Hotspots, and Code Smells. Click on the project to explore more details.
When the bugs menu is clicked you will see a bug as we used Optional with null. And also it describes the bug when we click on Why is this an issue we see the following message.
The concept of Optional is that it will be used when null could cause errors. In a way, it replaces null, and when Optional is in use, there should never be a question of returning or receiving null from a call.
@Override
public Optional<Lecture> findLectureById(Long id){
Optional<Lecture> lecture=lectureRepository.findById(id);
if(lecture==null) throw new LectureNotFoundException();
...
Another hint for the String. format method
When the call to a function doesn’t have any side effects, what is the point of making the call if the results are ignored?
We know bugs and security hotspots. Vulnerabilities are the weak parts of our code, potentially an attacker can use them. Code smells are not bugs. They point out the weak design issues. Comments, duplicates, dead code are some examples of code smells. These reports are very useful, for software developers. We have also created 5 unit tests and when we clicked on unit tests there is a warning about our public identifiers. It says that our code is noncompliant.
JUnit4 which required everything to be public whereas in JUnit5 we don’t have to use public as it will be more readable when it is not used
The Quality Gate lets us know if your project is ready for production. Code Coverage is determining how much code is being tested. It helps to measure the quality of tests. Our analysis has a coverage of 140 lines. According to our analyzes, we have also 6 Security Hotspots to review.
And 4 of the issues are about Cross-Site Request Forgery (CSRF).
Non-Compliant
@RequestMapping("/lectures/{id}")
//...
@RequestMapping("/delete_user", method = RequestMethod.POST) // Compliant
//...Last notes about SonarQube:
- For memory management issues change the conf/sonar.properties file.
- Check the rules according to languages from the rules menu.
- You can check extra plugins from Administration, Marketing menu.
- If you get an error Could not create the Java Virtual Machine. There is a problem with your java version that’s why we used version Java 11.
The sample code for the student application is available at GitHub.
