Complete understanding of static code analysis tools like SonarQube for Java & Integration with Jenkins. Explore the installation process and setup of SonarQube with MS SQL Server 2017:
What is Static Code Analysis?
Static Code Analysis or Source Code Analysis is the analysis of your source code in an automated way so as to find any security vulnerability, bugs, performance issues, or even non-compliance with standard coding rules. The analysis is done early in the lifecycle without executing the application.
With Static Code Analysis developers can find issues early on while coding and before they compile or during the build process. The analysis done during the execution time of the application is called Dynamic Analysis.
Table of Contents:
- SonarQube for Java – Complete Study
- What is SonarQube
- Installation and Setup of SonarQube with MS SQL Server 2017 on Windows
- User Management in SonarQube
- SonarQube Scanner
- Creating a SonarQube Project and Token
- Delete SonarQube Project
- Configure SonarQube Scanner
- GitHub Project
- Jenkins System Configuration
- SonarQube Webhook
- Jenkins FreeStyle Job
- Sonar Exclusions
- Sonar Quality Gates
- Create Quality Gate
- Jenkins Quality Gate Configuration and Fail Jenkins Job
- Conclusion
SonarQube for Java – Complete Study
In this two-part article on SonarQube For Java, we will look at how static code analysis tools like SonarQube and SonarLint can be used to run through the code, check whether it conforms to a certain pre-defined set of rules, and also help developers fix the issues.
Without such code analysis tools, manual analysis will take a lot of time and work to do.
What is SonarQube
SonarQube is a web-based static code analysis tool that developers use to perform automated analysis of their source code and helps to produce code free of bugs, vulnerabilities, security issues, etc. Typically the analysis is done before the application is run against a certain set of coding rules and ensures it conforms to the guidelines.
SonarQube Workflow:
Developers write the code and use SonarQube to analyze it. If there are errors then a report of the code quality is displayed in the SonarQube project so that the developer can fix it and re-run the analysis.
So SonarQube alerts the developers during coding by detecting issues, bugs, etc, and helps them to fix them before it is deployed to the PRODUCTION environment.
Static code analysis is a very important aspect of the development/DevSecOps process. SonarQube supports around 25+ languages and integration with various build automation tools like Maven, Gradle, MSBuild, ANT, etc.
The pricing and plans for SonarQube can be found at Plans & Pricing | Sonar (sonarsource.com)
Here is a view of where SonarQube fits into the CI process:
In this article on SonarQube For Java, we will look at the below topics:
- Install SonarQube Community Edition (Free) on Windows
- SonarQube Scanner
- Setup SonarQube Project
- SonarQube analysis of a Java Maven
- Configuring the SonarQube plugin in Jenkins
Installation and Setup of SonarQube with MS SQL Server 2017 on Windows
SonarQube normally comes with an embedded database which is used for POC or for Demo purposes. In this section on SonarQube for Java, we will look at how to install and set up the SonarQube community edition with MS SQL Server 2017 database instead of the default inbuilt database on Windows.
Download the SonarQube community edition latest version from Download | SonarQube | Sonar (sonarsource.com). The differences between editions can also be found in the link.
Extract the ZIP file. I have extracted it to E drive.
If you are evaluating or going to use it for demo purposes then use the embedded database and start the SonarServer.bat from E:\sonarqube-9.9.0.65466\bin\windows-x86-64 folder.
For MS SQL Server configuration follow the steps below:
#1) Create a database called ‘sonar’ in SQL Server.
#2) Go to the Options page and select the collation as shown.
#3) Click on OK to create the database.
#4) Create a user called ‘sonar’ with SQL server authentication mode.
#5) Go to the User Mappings page and select as shown below for the sonar user.
#6) Click Ok.
#7) Open the sonar.properties file from the conf location of the SonarQube installation and modify the below lines in the file.
sonar.jdbc.username=sonar sonar.jdbc.password=sonar #----- Microsoft SQLServer 2014/2016/2017/2019/2022 and SQL Azure sonar.jdbc.url=jdbc:sqlserver://<ServerName>;databaseName=sonar;encrypt=false
#8) Start the SonarQube server and should start up as shown below:
The URL can be accessed with http://<ServerName>:9000/
The default user to log in is admin and the password is also admin which needs to be changed on the first login.
User Management in SonarQube
In this section let’s look at how to create users and add them to either the User’s or Admin group.
To add users as an admin go to Administration -> Security -> Users
Click on Create.
To add the user as Admin go to the Security -> Groups and click on the Blue icon next to sonar-administrators to Change group members.
Select the user and click on Done.
SonarQube Scanner
SonarQube Scanner a CLI utility is needed for analyzing your code with SonarQube.
=> Click here for the SonarQube Scanner for your OS.
The SonarQube scanner needs to be installed and run on your build machine. I am using a Windows build system and it is installed in E drive.
Before we configure the scanner let’s look at a few prerequisites such as creating a project and token for authentication in SonarQube.
Creating a SonarQube Project and Token
Launch SonarQube as admin and click on Create Project -> Manually
Enter the Project name and Project key. Click on Set Up.
The project is created.
Generate Token for analysis:
Click on your Profile -> My Account and go to the Security Tab.
Enter Name, Type, and Expiration details as shown. Click on Generate.
Remember to save the token for future use.
Delete SonarQube Project
To delete a project go to Administration -> Projects -> Management
Select the project and click on the Delete button on the right.
Configure SonarQube Scanner
SonarQube Scanner is the launcher recommended to analyze the SonarQube projects.
Open the file sonar-scanner.properties from the conf folder on the build machine where SonarQube Scanner is installed.
Enter the SonarQube server URL and sonar.login key details with the value of the token generated.
GitHub Project
I have the Java Maven project in GitHub which will be used for SonarQube analysis using Jenkins pipeline.
The GitHub project contains a sonar-project.properties, which is a project-level file, in the root of the project which contains properties for analysis like project name, key, source location, etc.
A sample is shown below and replace the values as per your SonarQube project:
sonar.projectKey=FSP sonar.projectName=First-Sonar-Project sonar.projectVersion=1.0 sonar.sources=src # Encoding of the source code sonar.sourceEncoding=UTF-8
Jenkins System Configuration
The first step is to install the SonarQube Scanner plugin from Manage Jenkins -> Manage Plugins. This activity will need to be done as a Jenkins admin user.
The next step is to define the SonarQube server in Jenkins -> Configure System -> SonarQube installations. Ensure to add a Global Credential using the token generated in the 3rd section from Manage Jenkins -> Credentials -> System -> Global credentials.
Next, add the SonarQube Scanner in Jenkins -> Global Tool Configuration. Click on Add SonarQube Scanner. Provide the Name and location of the SonarQube Scanner installation.
SonarQube Webhook
Normally when you complete the project analysis the URL for the analysis report should be sent to Jenkins which will be shown in the console output. If this is not configured then it won’t be shown in the Jenkins job console output.
In SonarQube up to 10 webhooks can be configured in an instance. To create a webhook as an admin user go to Administration -> Configuration -> Webhooks.
Click on Create.
Enter a name and for the URL enter http://<JenkinsURL>/sonarqube-webhook
Click on Create.
Jenkins FreeStyle Job
Before we create a Jenkins freestyle job let’s look at the sonar-project.properties file. As mentioned before this file contains the SonarQube project name, Key, and sources folder location for analysis.
Note: This file is at the root of the project.
Jenkins job – GitHub repo config, Maven goals, and SonarQube Scanner details.
Add a Build Step Execute SonarQube Scanner. Select the SonarQube Scanner defined in Jenkins Global Tool Configuration.
Add a line in Analysis properties to define the Sonar Project Key.
Click on Save and Build the job.
The highlighted INFO shown is due to the webhook configured in the previous section.
Analysis of SonarQube project – FSP is done and you can look at the report summary in the web interface of SonarQube. Click on Issues TAB.
If you look at the analysis it contains 3 issues classified as Bugs which means there is something wrong in the code. The issue severity is classified as Major, with a high impact on the developer, which means there are unused parameters The issues need to be resolved in the JSP file.
The other issue severity levels are Blocker which should be fixed immediately else it may have an impact on PROD with a high probability like memory leaks or unclosed JDBC connections.
Critical means it should be reviewed immediately as it may have security issues like a SQL injection. Minor means low impact on developers like long lines of code, the switch statement should have at least 3 cases. Info is not a bug.
Fixing the Issue? In the below code, you can see that I have fixed all of the 3 issues in the code and I can now re-run the analysis through Jenkins job.
So you can see that there are no issues post-analysis. This is good code quality. Just imagine the time that you would have taken if there were more JSP or HTML or Java files for manual analysis.
SonarQube has actually helped in conforming to certain guidelines which is what is needed for good code quality.
Let’s look at another scenario. I have a simple HelloWorld Java file.
When I run the analysis, I get the below shown Code Smell issue which is related to maintainability and against the very fundamentals of software development.
Click on the second issue and you can have a detailed view of the issue.
Go to the TAB “Why is this an issue? “ This will give an explanation of why System.out is not suggested.
Resolution #1: To resolve the issue I can mark it as False Positive by selecting the issue.
Resolution #2: Use log.info
class HelloWorld { public static void main(String[] args) { log.info("Hello, World Niranjan!"); } }
Now the issue is gone.
Resolution #3: Use the built-in rule identifier @SuppressWarnings(“java:S106”) to suppress the compiler warnings on Standard output to not be used to directly log.
class HelloWorld { @SuppressWarnings("java:S106") public static void main(String[] args) { System.out.println("Hello, World Niranjan!"); } }
Resolution #4: Use the //NOSONAR tag to suppress all issues against it
class HelloWorld { public static void main(String[] args) { System.out.println("Hello, World Niranjan!"); //NOSONAR } }
Final Code view and run analysis.
Hurray!! – No Bugs or Code Smell issues.
Sonar Exclusions
Use the below properties in the sonar-project-properties file to exclude certain patterns from the analysis.
- Exclude all .java files from the analysis.
sonar.exclusions=src/main/webapp/*.java
- Exclude all files and folders in a particular folder.
sonar.exclusions=src/main/webapp/*
Sonar Quality Gates
Typically from a code quality point of view, every project would need to meet certain conditions so that it can be deployed to different environments. These are pre-defined criteria that are created and should mandatorily be met. In SonarQube it is called Quality Gate which is called post the analysis and checked against the pre-defined criteria created.
For e.g., if there are issues > 1 or Major issues > 1 then the quality gate should fail. It has to be resolved before proceeding.
In the last section, we did see just the sonar scan and its analysis. Here in this section, we will look at the below:
- Create a Quality gate and make it the default
- Add a condition
- Run the Jenkins job and fail the job if the quality gate fails
The result is either PASSED or FAILED.
Create Quality Gate
Launch SonarQube and click on Quality Gates -> Create.
Provide a name and click on Save.
Click on Unlock Editing.
Select the project to be associated with this quality gate and then click on Add Condition.
Add condition as shown and click on Add Condition.
The quality gate is now created. Click on Set as default on the top right.
Attach a project to the Quality Gate created in the Projects section.
Also, Grant permissions to a user or a group to manage this Quality Gate.
Also, my code in GitHub has 2 issues with the index.jsp. The <!DOCTYPE> declaration and the lang tag are not added. With this, there are 2 issues.
<html> <head> <title>Hello World Maven Ap</title> </head> <body> <h2>Hello World from Niranjan Bengaluru, KARNATAKA, India </h2> <body> <html>
In the next section, we will look at the configuration if the Quality Gate fails then the Jenkins job also should fail.
Suggested Reading => Most Popular Code Review Tools
Jenkins Quality Gate Configuration and Fail Jenkins Job
In the Jenkins job already configured add one additional argument under the Execute SonarQube Scanner build step.
-Dsonar.qualitygate.wait
I have seen that this is the best possible option to fail the Jenkins job if the Quality Gate fails. If there are no other alternatives then you could use this.
Click on Save and trigger the build. Since there were 2 issues the Quality Gate filed and also the Jenkins Job.
The SonarQube project view also shows the status of the project as Failed.
Let me correct the code by adding the DOCTYPE and lang tag and re-run the Jenkins job.
<!DOCTYPE> <html lang="en"> <head> <title>Hello World Maven App</title> </head> <body> <h2>Hello World from Niranjan Bengaluru, KARNATAKA, India </h2> </body> </html>
The Quality gate has now passed and also the Jenkins job is a success.
The project view in SonarQube also shows as Passed. As the quality gate is passed the artifact can then be uploaded to a binary repository manager like Artifactory and then taken forward for deployment to other environments.
The analysis and quality gate check can also be run from the command line with the below command with the sonar-project.properties file and other settings.
mvn sonar:sonar -Dsonar.host.url=http://<Sonar-Srvr>:9000 -Dsonar.login=<Token> -Dsonar.qualitygate.wait
Conclusion
In this short article on SonarQube For Java, we have seen the importance of the inspection of code so as to ensure high levels of quality through static analysis and quality gates. It is very important to ensure a very good quality code goes through right to the PROD deployment without any bugs, code smells, or vulnerabilities.
A complete user guide on SonarQube For Java can be viewed at https://docs.sonarqube.org/latest/
SonarQube is truly an important code analysis tool to determine the criteria of a software project for production release and is very integral to be part of any DevOps or DevSecOps pipeline.
Also Read =>> Best Code Quality tools