SonarQube with Maven-banner

Using SonarQube to automate quality checks for your Maven Project

The Research and Development Team of Mitra Innovation has been using SonarQube for analysing a number of Maven projects. Pleased with the results so far, the team felt compelled to share some of their experiences in using SonarQube with Maven. This is a quick guide to setting up SonarQube and configuring it for your Maven project.

First, what is SonarQube?

SonarQube is a readily available Open Source platform developed for performing automatic reviews with static analysis of code in order to detect bugs, code smells and security vulnerabilities, on over 20 programming languages including Java, C#, Javascript, C/C++ and COBOL. SonarQube also takes pride in its claim to being the only product available in the market that supports a ‘leak approach’ as a practice to code quality.

Nirodha Kathaluwa, working with the Research and Development team at Mitra Innovation, further explains, “In general, a set of predefined rules refer to programming languages, and as per the skills of developers, the rules can be re-defined as well. The purpose of SonarQube is to check whether code is in line with pre-defined rules.”

About Maven

Maven was originally developed as an attempt to simplify build processes in the Jakarta Turbine Project. Maven engineers have previously explained that there were several projects each with their own Ant build files that were all slightly different, and Java Archives (JAR) that were checked into Concurrent Version Systems (CVS). Engineers behind Maven were looking for a standard way to build the projects with a clear definition of what the project consisted of, as well as an easy way to publish project information and a way to share JARs across several projects.

They ended up building a tool that can now be used for building and managing any Java based project.

Maven’s objectives

Maven’s primary goal is to allow developers to comprehend the complete state of a development effort within the shortest time period. Maven aims to achieve this by sticking to the below mentioned objectives:

● Making the build process easy
● Providing a uniform build system
● Providing quality project information
● Providing guidelines for best practices development
● Allowing transparent migration to new features.

Maven limitations

Maven does however have its limitations. If you decide to use Maven, and have an unusual build structure that you cannot reorganise, you may have to forgo some features, or the use of Maven altogether.

Configuring SonarQube for Maven

Now that we have a basic understanding of what SonarQube and Maven are, we have outlined below how to install SonarQube and configure quality checking for your Maven projects.

Download SonarQube

To work on the SonarQube platform, download the latest version via https://www.sonarqube.org/downloads/.

A zip folder will be downloaded which in turn can be extracted to any directory.

screen-1

(Fig 1: Here we have downloaded SonarQube Version 6.4 and it resides in the program files folder of our Local Disk (C:) )

Select your operating system

Once the download and extraction is complete, select the folder related to your Operating System from the folders that are available in the bin folder as illustrated below:

screen 2

(Fig 2: Here we have selected windows as the Operating System for installation)

Installing SonarQube

Once the download and extraction is complete, select the folder related to your Operating System from the folders that are available in the bin folder as illustrated below:

Start menu> (type) cmd > (press) Enter

If you are using Windows OS, perform the following

C:\Program Files\sonarqube-6.4\bin\windows-x86-64\StartSonar.bat 

screen 3

(Fig 3: Here is a screenshot of commands to perform the installation of SonarQube on Windows)

If you are using a different Operating System, you may perform the following:

/etc/sonarqube/bin/[OS]/sonar.sh console

Once the installation commands have been successfully performed, your SonarQube server is up and ready for use, as shown below.

screen 4

(Fig 4 : Screenshot of successful installation of SonarQube on Windows OS)

Using SonarQube

After successfully installing SonarQube, we accessed the application by typing http://localhost:9000/ in the URL bar in order to login to SonarQube. At this point, System Administration credentials are required for logging in. Default values are admin/admin.

screen 5

(Fig 5: SonarQube login screen appears when http://localhost:9000/ is entered in the URL bar after successful installation)

Create login credentials

Login credentials are managed via Administration > Security. Access may be granted or revoked according to user levels.

Creating your quality profile

SonarQube comes with predefined quality profiles, however should you wish to create your own quality profile, you may do so via Quality profiles > Create

screen 6

(Fig 6: Quality Profile Management on SonarQube)

Managing plugins

SonarQube allows for the installation of plugins. The Update Center accessible through the Administration section makes provisions for installing, updating, upgrading, viewing or deleting plugins. These can be done via Administration > System > Update Center

screen 7

(Fig 7: The update center allows for installing, deleting or updating plugins)


Furthermore, you may also add locally developed projects to the GitHub account. During the Continuous Integration build phase, projects may be pointed to SonarQube deployed in the local server to check code quality. Should there seem any vulnerabilities in the code, developers are able to re-edit the code.

Configuring your Maven project for SonarQube quality checks

In order to quality check your Maven project, declare a profile for it. Here we created an example Maven Project named ‘HelloMaven’ for the purposes of demonstrating configuration.

Next, the Maven settings.xml file has to be edited and we point our Maven project to the local SonarQube server. This is done via:
C:\Program Files\apache-maven-3.5.0-bin\apache-maven-3.5.0\conf (in my PC) as shown below:

screen 8

(Fig 8: Point your Maven Project to your SonarQube server in the settings.xml file)

Point your Maven Project Profile to your local SonarQube Server in the settings.xml file, as below:

screen 9

(Fig 9: Pointing the Maven Project to SonarQube)

Run your Maven Project in order to add the project to SonarQube

Open the command prompt and change your directory to where the project is located.
cd C:\Users\nirodhas\eclipse-workspace\HelloMaven

Then run the Maven project to add the project to SonarQube with the following command:
C:\Users\nirodhas\eclipse-workspace\HelloMaven>mvn clean verify sonar:sonar

screen 10

(Fig 10: Commands to add your Maven Project to SonarQube)

If your Maven project has been built successfully you will see the following information in Command Prompt as well as seeing the project added to SonarQube via http://localhost:9000

screen 11

(Fig 11: Build success screen that appears if the Maven project has been built successfully)

SonarQube dashboard

screen 12

(Fig 12: Successfully built Maven Project visible on the SonarQube dashboard)

The SonarQube dashboard displays important information relative to the projects added. The project quality can be assessed here at a glance. Filters show criterias that reveal the quality of the projects. According to the filters the relevant projects are shown in the right side.

SonarQube reveals summarised quality concerns and issues for the information of developers.

screen 13


(Fig 13: Breakdown of quality concerns as raised by SonarQube)

A brief understanding of SonarQube’s quality concerns

● Bugs and vulnerabilities: Urgent issues that need to be covered as soon as possible.
● Code smells: Maintainability issues that need to be fixed to prevent further ripple issues in the code.
● Coverage: This is a thorough testing of the code to identify and reduce bugs. SonarQube uses Cobertura and JaCoCo libraries in this regard.


SonarQube also provides a Quality Gate feature which allows you to assess whether or not the project in concern is, quality wise, ready for production.

screen 14


(Fig 14: If the Quality Gate score reveals as ‘Passed’, the project in concern may be considered as ready for production)

Exiting SonarQube


To exit SonarQube, run the StopNTService.bat file as an administrator.

screen 15


(Fig 15: exit SonarQube by running the StopNTService.bat as administrator)

Conclusion

We hope this example project including SonarQube and Maven has been useful to you. Subscribe here to receive further updates, ‘How-To-Tech-Guides’ and news from Mitra Innovation.

Abdullah

Abdullah Muhsin
Specialist Digital Marketing and Content Writing

Nirodha

Nirodha Kathaluwa
Research & Development Intern