An Introduction To SonarQube

An Introduction To SonarQube

How to setup SonarQube for static code analysis of your codebase

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities in 20+ programming languages.

You can make SonarQube a part of your Static Application Security Testing (SAST) and proceed with the below flow.

Before merging the feature branch to the production branch, it will be mandatory to have a SonarQube report linked to the pull request. Code reviewers are expected to look at this report and not approve the PR unless all violations reported by the SonarQube report are fixed.

Issues Identification

SonarQube helps to identify issues like bugs, code smells, security hotspots and other vulnerabilities. These issues identification will be based on the rules that are available in the SonarQube itself and you can configure those rules. Support for multiple programming languages is provided so that you can configure your project accordingly and you can apply different rules for different programming languages by creating quality profiles. Quality profiles are just a set of rules.

Screenshot 2022-03-17 at 5.45.25 PM.png

Type of issues and Severity

Screenshot 2022-03-17 at 5.26.56 PM.png

There are three types of issues as mentioned here:

Bug: Any part of the code that can cause an error on compile time or run time will be treated as a bug. Null checks missing is one of the common examples.

Vulnerability: The part of the code that can make your system vulnerable to attackers. Weak hashing algorithms and writing direct SQL queries in code are some the examples.

Code Smell: This is not a high-end issue. It's just a good coding practice.

The severity of the issues are also defined as per the impact they can cause to your system:

Screenshot 2022-03-17 at 5.33.40 PM.png

Blocker means the issues under this category can break your code very badly and you need to fix these ones as soon as possible. You can also change the severity as per your convenience.

Rules

Coming to the part about how these issues will be identified in your codebase. For that, SonarQube has some pre-configured rules that you can use by making a quality profile or by using the one provided by SonarQube itself. You can also configure your own rules and set its severity and type as shown below:

Screenshot 2022-03-17 at 5.24.53 PM.png

Sonar-Lint Plugin

SonarQube also provides a vsCode plugin that can be used while working only with code only. This plugin will point the issues like where should you put null checks and all. You can configure the rules in this plugin too. If you want to check why the issue is happening, you can click on the info and check all the details.

Setup & Analysis

We will be setting this up on Linux butcan be used on any platform. You can even host the sonarqube web UI to see the reports of your analysis any time.

Let's start....

SonarQube is written in Java so we have to install Java so that it can work. To install java run the below mentioned command:

sudo apt-get install openjdk-11-jdk

Now, we have to install the database to store the details. We will be setting up MySQL in this process. You can also use PostgreSQL for that. Refer to the following code:

apt install mysql-server-5.6
apt install mysql-client-5.6

After the installation you have to start the MySQL service using the following code:

sudo service mysql start

Check the status for the same by running the following:

sudo service mysql status

Let's create a database for sonarQube by running this query:

CREATE DATABASE sonarqube;

Let's give the permission to a user that will be used by SonarQube as shown here:

GRANT ALL PRIVILEGES on sonarqube.* to sonarqube@'%';

Reload the privileges after granting privileges by running the following:

FLUSH PRIVILEGES;

We are all done with the preinstallations now. Let's install SonarQube now.

The sonarqube is not provided in the apt-get repository by default so we have to fetch it first and then update it using the following snippet:

echo "deb http://downloads.sourceforge.net/project/sonar-pkg/deb binary/" | sudo tee -a /etc/apt/sources.list.d/sonarqube.list > /dev/null
apt-get update

Now we can install SonarQube via apt-get as shown below:

apt-get -y install sonar

After installing it we have to configure some things, so let's get on to that part.

We have to set some properties for MySQL database in the properties file of sonarQube.You can find the properties by going to below path:

cd /opt/sonar/conf/sonar.properties

Set the following properties in the file:

sonar.jdbc.username={username for database}
sonar.jdbc.password={password for database}
sonar.jdbc.url={url of the database}

Now, to start sonarqube services and to check the status, run these commands:

service sonar start
service sonar status

After that you can access sonarqube by hitting localhost:9000 in the browser.

Steps to do the analysis

We have to set up sonar scanner separately that will be used to do the analysis of your project.

wget -q https://sonarsource.bintray.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.2.0.1227-linux.zip

This will download the sonar scanner and then you have to unzip it so that you can run it. You can do it by running this command:

unzip sonar-scanner-cli-3.2.0.1227-linux.zip

Final step

To analyse make a file named sonar-project.properties in the root folder of your project and add the below-mentioned properties in this file:

sonar.projectKey={You will get the project key from sonarqube server}
sonar.sources={the path of the files you want to analyse}
sonar.exclusions={add the path to the files if you want to exclude any}

You just have to run the below command in your project directory and after the process completes, you will be able to see the report by hitting localhost:9000 as shown:

sonar-scanner

Conclusion

In this article, we explored a very popular static code analyzer, SonarQube, issue identification and the type of issues with the severity levels. We also learnt how we can implement SonarQube to help us identify static code issues in our code base. It also points us to the issues during development and also recommends us the best coding practices to provide us with a better quality codebase.

Hope you enjoyed reading this article and found it helpful. Happy learning!

References

  1. sonarqube.org
  2. docs.sonarqube.org/latest