SonarQube Integration is an open source static code analysis tool that is gaining tremendous popularity among software developers. It enables software professionals to measure code quality, identify non-compliant code, and fix code quality issues. The SonarQube community is quite active and provides continuous upgrades, new plug-ins, and customization information on a regular basis. Further, it is a healthy practice to periodically run SonarQube on the source code to fix code quality violations and reduce the technical debt.
SonarQube enables developers to track code quality, which helps them to ascertain if a project is ready to be deployed in production. Further, it allows developers to continuously inspect the code, perform automatic reviews and run analysis to find code quality issues.
Furthermore, SonarQube provides a lot of other features, including the ability to record metrics, evolution graphs etc. It has inherent options to perform automated analysis and continuous integration utilizing tools such as Jenkins, Hudson, etc. In this blog, we will explore the process of creating pipeline scripts for SonarQube integration. Here are the steps.

  • Log in to your configuration domain (e.g. https://jenkins.domain.com).
  • Go to the specific profile in Jenkins (Here, in this case, it is the root project).
  • To configure a Sonar job, select ‘New Item’ available on the left side panel in Jenkins.

New Item

  • In the subsequent screen provide a job name. Click on ‘Pipeline’ option, if you intend to run a Pipeline, else select the ‘Maven’ option.

Pipeline Maven

  • Click on ‘OK’ button to provide configuration details. Now, let us take a look at the various links available on the left side of the screen.
    • Changes – The ‘Changes’ option enables developers to change the name of a job.
    • Build Now – This feature allows developers to run a job in Jenkins. It starts to read the code from the repository and builds the code.
    • Configure – This option enables developers to read the code from the Git/SVN repository.

Pipeline inc-web

SonarQube Integration with Jenkins

Here is the complete process of SonarQube integration with Jenkins.

  • Click on ‘Configure’ option, which will redirect developers to the following screen, enabling them to read the code from the Git/SVN repository.
  • In the General tab, developers can provide a Pipeline name and log build details, such as how many days the logs should be kept etc. In the ‘Days to keep builds’ field, enter the number of days.

General

  • If using a Git repository, select Git project, else proceed to the next tab.
  • The next tab is ‘Office 365 Connector’, this screen is used to run a build based on parameters.
  • The option ‘This project is parameterized’ is one of the parameters that developers should have a brief idea. It is used to build a job based on branches. In situations, where developers want to run a job based on development/master branches, they can define it using this option else, the job will run as default.

Office 365 Connector

  • Build Trigger Section – This option can be utilized, if developers are keen to run the jobs based on specific time intervals e.g. once a day or twice a day. Additionally, jobs can be scheduled to run automatically by using the ‘Build periodically’ option.

Build Triggers

  • Pipeline Section – The pipeline section is the core feature of a job; it reads data/code from a specific repository in GIT/SVN. However, developers need to specify the script file, which is available in the GIT/SVN application.

Pipeline

  • Here is the pipeline script that needs to be added to the Jenkins file.

[java]try {
stage(“Building SONAR …”) {
sh ‘./gradlew clean sonarqube’
}
} catch (e) {emailext attachLog: true, body: ‘See attached log’, subject: ‘BUSINESS Build Failure’, to: ‘abc@gmail.com’
step([$class: ‘WsCleanup’])
return
}
[/java]

  • Add the following plugin details in the build.gradle/pom.xml file (if it is maven):

a) Sonar Plugin
[java]dependencies {
classpath “org.sonarsource.scanner.gradle: sonarqube-gradle-plugin:2.5”
}
[/java]
b) Apply plugin: ‘org.sonarqube’
c) Add SonarQube Server Details:
[java]sonarqube {
properties {
property “sonar.host.url”, http://sonar.xxxxx.com // url is your sonar server
property “sonar.projectName”, “project display name” // this name will appear in dashboard
property “sonar.projectKey”, “projectKey” // It sould be a keybased on this report is created
property “sonar.groovy.jacoco.reportPath”, “${project.buildDir}/jacoco/test.exec” }
}
[/java]

  • Once the configuration is complete, developers can build job manually or automatically. This can be activated using the option ‘Build Now’ available on left side panel of the screen.

Build Job

  • After the build process is complete in Jenkins, it reads the code and compares each line, if it observes any violations of rules, it sends a report to the sonar server. Here is a sample snapshot of the SonarQube report.

Java Maven Project
Developers can view a list of issues on the SonarQube dashboard. If they are interested to find out what went wrong in their code base, all they have to do it simply click on specific links (numbers above). This action will redirect developers to specific code, where they can fix the issues.
Here is an example, below is a test class, where we have created a sample Java class.
Sample Java Class
If you observe, Code Smells count is 3, clicking on number 3 will redirect developers to the following screen on a Sonar server. Further, it will show/suggest the vulnerability based on the rule.
Code smells count
In our code ‘testService.java’, we have used a sample system.out .print ln( ) method. In Sonar server, a rule is defined that mentions use logger instead of system.out.
The below method main() is kept empty in ‘my testservice.java class’, as can be observed, SonarQube is recommending to comment on this method since this method is empty. Similarly, it shows other issues in the code. 
testservice
Hope this post serves the purpose of providing insights on SonarQube integration, if you have any specific questions or comments, please feel free to post your comments.

An Open Source Solutions Partnership with Evoke

At Evoke, we bring more than a decade’s experience as an IT leader in designing and implementing open source solutions for commercial enterprises. Our dedicated open source experts will understand your company’s most pressing challenges and guide you in developing a comprehensive strategy to meet them. Whether e-commerce, CRM, Content Management or Quality Assurance, Evoke has open source expertise to benefit your business.
Contact Evoke Technologies at +1 (937) 660-4923, and learn how we, as your open source solution provider, can start making your company’s software development and operations budget go farther today!

Author

Janardhan Reddy Thummaluri was a Senior Technical Associate at Evoke Technologies. With strong domain knowledge and extensive experience across varied technologies, including Salesforce, Pega, and Java/J2EE technologies, Janardhan is focused on providing innovative solutions to various clients of Evoke. He is extremely passionate about emerging technologies and likes to share his knowledge using various forums.
Please follow and share

5 Comments

  1. Rita

    May 10, 2018

    when i try to generate the sonar report using the pipeline script, it take only the java files where source is available. i am not getting the report for JS

  2. Janardhan

    May 10, 2018

    Hi Rita,
    Please add this code: property “sonar.source”, “src/main/groovy”, specify your JavaScript path separated by a comma in the build.gradile file. Further, before running the Jenkins job ensure that JS script rules are defined in SonarQube.
    Example: property “sonar.source”, “src/main/groovy, webapp/js/”

  3. CHANDRASEKHAR NAGALLA

    August 25, 2018

    Hi Janardhan,
    I have followed as like you explained above but while building the pipeline am facing the below issue.
    * What went wrong:
    Task ‘sonarqube’ not found in root project ‘AndroidTestApplication’.
    Could you please help me here..
    Thanks in Advance!
    Chandrasekhar N

  4. ntihin

    October 5, 2018

    we want sonarqube to scan total project first time and from second time onwards it should be scan only the new commit.
    Let me know i f any option is there.

  5. venu

    June 21, 2019

    Hello,
    May I know the method to download SonarQube plugin if it is not available to Jenkins -> Manage Plugins Page.

Leave a comment