Static Code Analysis Tool: Sonarqube
Hello my friends,
I started use Sonarqube in my projects. In this post, I will try to tell Sonarqube in windows computer.
What will we examine in this post?
- What is Sonarqube?
- How to install Sonarqube?
- How to create a new project in Sonarqube?
- How to scan .NET project with Sonarqube?
- What is the mean of results titles in report?
First topic is What is Sonarqube. Sonarqube is static code analysis tool. It’s open source and It is support 20+ language. Let’s start examine the Sonarqube.
Now, we are starting second topic. Firstly, we will download Sonarqube tool in this link for second topic.
We will extract setup file from zip, when download finished. The setup files are in the bin folder.
We will use StartSonar.bat file for the install. Location for StartSonar.bat is as follows.
Sonarqube will be ready for use, when the installation finished. If you see the field marked with yellow text, It’s mean your application installation finished. The screenshot is as follows.
Default address is http://localhost:9000 for Sonarqube. Start page screenshot is as follows. Now, we can login our application. Firstly we are click log in button for this. This button is right side on the header.
Default username and password are admin for login. Now, we can start create a new project in sonarqube. Firstly, we are click Create new project button in our Projects page.
We need to input project key ad display name for create a new project. My area is as follows.
Last step before analysis, We will create a token for scan. I am usually use default values in this step. The screenshot is as follows.
Now, we will choose main language and download files. Sonarqube will use this files for scan.
After downloaded package, we will add package path in environment variable list. This step is as follows.
Finally, Sonarqube is ready for scan. Firstly, we will open example project folder in command prompt screen, after then we are copy first command from dashboard page and run in command prompt. The screenshot is as follows.
We will open Developer command prompt, when first command finished. We will run second command in this windowd. (Developer command prompt.)
After finished second step, we will turn back to command prompt for finally step. Now, we are copy third code from dashboard page and run. Sonarqube will open results in our screen, when scan finished. My results are as follows.
Scanning finished. Now we will examine results as follows 6 title.
Quality Gate: Sonarqube have some quality gates for projects. This quality gates is consist of some metrics. I used default Sonarqube quality gate. You can create a new quality gate or change available quality gates. Quality gate is important for project because developers will write high quality code for pass the this gate. My default quality gate metrics is as follows.
Bugs: You can see code error in this project under this title. If you click 40 (It’s for my project), you can see code errors. For example my bugs are as follows.
If we click any bug, what can we see?
For example, I clicked first code error;
- This bug is in wwwroot/lib/bootstrap/dist/css/bootstrap-reboot.css file.
- This bug created 21 hours ago.
- This bug’s effort is 1 minutes.
- This bug didn’t assign any user yet. You can click not assigned and assign any people.
Vulnerabilities: This title about security and as important as bugs. My example project didn’t have error of this category but, this detail page as like as bugs detail page.
Code Smells: This title is about maintenance and legibility. We have a 23 code smells and we need 3 hours for solved this.
If we have a look example code smell detail;
- This code smell is in Pages/Index.cshtml.cs file.
- This code smell level is Critical.
- This code smell effort is 5 minutes.
- This code smell created 21 hours ago.
Coverage: This category is about tests. We didn’t write test for our test project. If we write test, we can see rate in the project.
Duplications: This category is about ratio reused rows to total rows. Result for my example project is as follows.
See you next posts.
Good works 🙂