This article will explain how to setup quality control through SonarQube and how to use it. It will be two-part article to maintain overview and readability. In the first part, the setup of SonarQube will be discussed and in the second part the usage.
The setup consists of a few dependencies that have to be installed and some have to be configured.
To give a sneak peak of what it will look like after installing, see the image below.
The frontpage gives an insight in the following things for each project (These insights are also available for prior scans/versions);
- Quality Gate (Did it pass or not)
- Bugs ('Bad Code')
- Code Smells ('Bad Practices')
- Duplicate Code
- Code Coverage by Unit Tests
- Technical Debt (The time it takes to solve everything)
To start using SonarQube, you need to install a few packages:
- SonarQube Server, This keeps track of all your individual projects and previous scans on these projects. The issues can be seen and browsed in the GUI of the server. Which I personally think is quite comprehensive and functional.
- SonarQube Scanner, This actually scans your project. When it has finished scanning, it triggers a background task in the server to analyze the new scan. You can choose the regular scanner here or the MSBuild scanner. The regular scanner gives some issues on VS Projects which do not occur with the MSBuild scanner. An example is; "Provide an 'Assembly Version' attribute for this assembly." on every file. You can find a compatibility list for the MSBuild scanner here.
- Java JDK, This Java Development Kit is needed because SonarQube runs on Java.
- SQL Server, This is needed to store the data of, among others, the scan results/projects. In this case we use MSSQL and need to have version 12.0+ (MS SQL Server 2014+). Other databases that are supported are; MySQL 5.6+, Oracle 11+ and PostgreSQL 8+
- Microsoft JDBC Driver, This driver is needed by Java to be able to interact with the MS SQL Database Server
Create a Database
Start with Creating an empty scheme/database in MS SQL. Make sure the database collation is:
(Case Sensitive and Accent Sensitive)
and not the default database collation:
(Case Insensitive and Accent Sensitive).
To let SonarQube access data in the database, you can either use integrated security or create a user which has the right permissions. If you want to create a user, do this under logins with SQL Server Authentication and set the user mapping to the SonarQube database with the role membership 'db_owner'.
Configure the Server
After extracting the package it is not so much installing the server, but mainly configuring it.
Add the Microsoft JDBC Driver
First of all, you have to import the 'sqljdbc_auth.dll' file from the JDBC Driver package in the SonarQube folder. SonarQube documentation states it can be placed everywhere. However I noticed this is not the case for some folders, so just put it in the top-level folder.
Edit the server configuration file
After placing the driver, open the sonar.properties file. Which can be found in the conf folder. in this file you have to setup the properties for the database connection and some optional properties for the SonarQube server.
You have to configure the account that will be used for the database connection. This can be done through Windows or SQL Server Authentication. For Windows Authentication just use the following:
If you want SQL Server Authentication, you can remove 'integratedSecurity=true' from the prior rule. But then you have to set the following properties:
You can also configure some server properties. The most important are the host and port:
Start the Server
After installing the dependencies and configuring you can start the server by running:
You could also install, run and stop it as a NT Service by, respectively, running:
There are some common errors when trying to startup the server for SonarQube.
- Java SDK not found/installed
- Database Server configuration is incorrect
There are two main issues that can occur and can be resolved in the Sql Server Configuration Manager;
- TCP/IP is not enabled
Click on Network Configuration --> Protocols --> Enable TCP/IP
- Port 1433 is unavailable
Open the TCP/IP properties and select IP Addresses. Clear TCP Port for IP and set it at 1433 for IPALL
- Access Denied, start it as Administrator
- Default port 9000 is in use, configure it to use another port
- Outdated SQL Server version, the minimum required version is SQL Server 2014
To help at other errors you can find logs at the logs folder. There is a log for different processes within SonarQube. When starting up the processes 'es', 'web' and 'ce' are started. if a process does not show the message it is up and running, you can find the error in the corresponding process log.
Set the Quality Standard
Quality Profiles are collections of rules to apply during an analysis.
You can also create a custom profile, per language if needed, and activate rules that should apply for your profile. Some example rules for C# can be seen below.
It is also possible to add custom rules, this can be accomplished through XPath or Java. However it is not possible to add rules for every language, custom rules are not supported for e.g. C++, C#, VB. A full list of language support for and information about custom rules can be found here.
A Quality Gate is the set of conditions the selected project(s) must meet before it can be released into production. If the conditions are not met, the Quality Gate fails and you should refactor things before releasing it. The main categories for the conditions are:
- Code Complexity
- Duplicate Code
- Management (In terms of business value)
- Security / Vulnerability
- Test Coverage
If all goes well, by now you should have a running SonarQube server. As mentioned before, this is a two part article and the second part will guide you through scanning projects and the usage of SonarQube.
A last important note; Overall you should consider implementing a company-wide 'base guideline' for the Quality Profile and the Quality Gate. There should be an as uniform as possible definition of quality, even though there could always be some exceptions.