Integrating and Understanding SonarQube in Android

SonarQube is a platform to analyze code quality,security and reliability.It is a continuous inspection engine and offers reports on duplicated code,exception handling, coding standards, unit tests, code coverage, code complexity, potential bugs, comments , design and architecture etc.

SonarQube supports 20+ programming languages.Plugins for some languages (C#, Java and, JavaScript) are bundled with the platform. To analyze a different language, we can install the plugin .

Installing SonarQube

1.Go to https://www.sonarqube.org/downloads/  and download the latest version of Sonarqube by clicking on Download Latest.

2.Unzip the downloaded archive.

3.Go to sonarqube-/bin folder.You will see different folders based on platforms.

screenshot

4.Open the corresponding folder according to your platform.There you should see a batch file named StartSonar for windows (or sonar.sh for other platforms)

5.  Double click on StartSonar batch file(or open up a terminal window and execute: sonar.sh start for other platforms). This will open a sonarqube console.Wait for the execution to complete and then you will see message ‘Process[ce] is up’ and ‘SonarQube is up’.

6.Open localhost:9000 on browser.You will see Sonarqube web page.

screenshot2

Installing Sonarqube Scanner

7.Add sonarqube plugin to app module gradle file of your project.

plugins {
    id "org.sonarqube" version "2.2.1"
}

8.Define Sonarqube properties for your project and sync your project.

sonarqube {
    properties {
        property "sonar.projectName", "SonarqubeDemo"
        property "sonar.projectKey", "SQKey"
        property "sonar.sources","src/main/java"
        property "sonar.language","java"
        property "sonar.sourceEncoding", "UTF-8"
//        property "sonar.exclusions", "src/main/java/com/foo/Foo.java"
    }
}

sonar.projectKey can contain any unique key name for your project.It should be different for every project you are analyzing with Sonarqube

sonar.sources contains the path of java files.

sonar.exclusions can be used to exclude directory/files from being analyzed by Sonarqube.

9.After building or syncing project,open Command Prompt and navigate to app module directory where your gradle file is located.

10.Execute gradle sonarqube and wait until the build is completed.

11.Refresh or open localhost:9000 web page on browser.You will see your project added.

Understanding Sonarqube analysis

At top right of web page you will see a login option.You can login as an administrator by using both username and password as admin .

12.On Home page you will see the count for the number of projects being added to sonarqube and number of bugs,Vulnerabilities and Code Smells.

As per their documentation,

Bugs

Bugs track code that is demonstrably wrong or highly likely to yield unexpected behavior.

Vulnerabilities

Vulnerabilities are raised on code that is potentially vulnerable to exploitation by hackers.

Code Smells

Code Smells will confuse maintainers or give them pause. They are measured primarily in terms of the time they will take to fix.

13.When you will navigate to Projects tab you will see projects being rated from A to E on the basis of Reliability,Security and Maintainability where A being best and E being worst. Also you will see percentage of duplications in the code and the size of code in terms of number of lines of code.

14.Quality Gate is the set of conditions the project must meet before it can be released into production.You can see whether your project is passed or failed in terms of Quality Gate.

screenshot3

15.When you will navigate to Issues tab,you will see list of various issues your projects has. In the left panel you can apply various filters to list issues on the basis of type,severity,status etc.

When you will select Effort in Display Mode you will see estimated time required to handle these issues.

screenshot4

16.Clicking on the arrow at the right end of an issue will take you to the line in your code where issue is found.

screenshot5

17.Clicking on three dots at the right of an issue will give you detailed report about the issue with Compliant and Non Compliant code example.

screenshot6

18.When you will navigate to Rules tab , you will see the list of rules on the basis of which inspection is done.In the left panel you can apply various filters to list rules on the basis language,type,tags etc.

screenshot7

19.Navigating to Quality Profiles will allow you to activate more rules.To activate more rules,click on the down arrow corresponding to the language section and select Activate More Rules.

screenshot8

You will see list of unactivated rules.Clicking on any rule will give you detailed explanation of the rule.Clicking on Activate will show a dialog where you can select quality profile and severity and activate the rule.

screenshot9

20. Navigating to Quality Gate tab will allow you to customize the conditions for Quality gate or create your own quality gate.

screenshot13

21. Administration tab section allows you to edit global settings for this SonarQube instance.

22.In Administration section,click on System tab and go to Update Center. Here you can install various plugins.

In Installed section you will see plugins which are already installed.

In Updates Only section you will see updates for  various installed plugins.

In Available Section you will see various plugins which are available to install.You can install plugins for various languages which you want to support.Also there are plugins for various external analyzers like FindBugs which provide Findbugs rules for analysis of Java projects

screenshot12

Please feel free to post any queries,doubts or suggestions in comments section and I will get back to you as soon as possible!

If you like my post please rate it as it will mean a lot to me!

Advertisements

4 thoughts on “Integrating and Understanding SonarQube in Android

  1. Thank you very much for your post!

    Pretty clear and straight forward explanations.

    Quick question: Do you have any suggestion on plugins that everyone should use in the Sonar?

    Thank you once again,
    Levi

    Liked by 1 person

  2. Hello! Thanks for the awesome tutorial! But I have problem writing the plugins to the gradle-files. Exactly where should that bit of code be inserted in the application? MY project has two gradle.build files?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s