Improve code quality, getting started with SonarQube

I’m currently member of a scrum team in which we are working with SonarQube to manage our code quality. I was hesitant and skeptical at first, but since I started to see the benefits of it, I’m becoming more and more a fan of SonarQube. This article explains why working with a product like SonarQube is a good idea and how to get started with it.

SonarQube

What is SonarQube?

SonarQube is an open source platform which helps development teams to manage their code quality. The primary objective during the development of SonarQube was to make code quality management as easy and accessible for everyone as possible.

In its core, SonarQube contains reporting tools, a database to track historical analysis and analyzers to inspect the source code, but it also contains a plugin mechanism which enables the community to extend the base functionality. More than 20 different languages are supported, including Java, C#, C/C++, JavaScript, PHP, Web, and XML. The platform also offers the ability to configure your own and existing rules on those languages.

SonarQube differences from its competitors as it focusses on all the seven axes of code quality, also known as “The 7 deadly sins of software development” and not only on bugs and complexity. Another strength of SonarQube is that it also expresses its metrics into business values like technical debt, impact and risks.

The 7 deadly sins of software development

There are seven deadly development sins which are a threat for the quality of your codebase. Even the most experienced developers might have some insidious habits returning over and over again;

1. Bugs and potential bugs, probably the most urgent sin as it represents parts in the code which can not only go wrong today, but also in the near future.
2. Duplications, this is also a very bad coding sin as it duplicates all potential problems like coding standard breaches and bugs in the original occurrence of the code.
3. Coding standards breach, it’s all about not following the team-agreed standards. Coding standards increase the readability and understandability of the code for each team member.
4. Lack of unit tests, unit tests help to keep bugs and regressions from slipping into the production code. They also ensure that changes in existing code don’t break the original functionality.
5. Bad Distribution of Complexity, developers might put too much logic in a method of class which make it very hard for others to read and understand. It’s normal that a program will have some complex classes and methods, but make sure you don’t have too many of them.
6. Spaghetti Design, having a high complexity at the project architecture level, rather than in a single method or class. People introduced to the project will have a very hard time understanding how the project is organized and where new code should be written. Worst case it might even increase the code complexity as they will introduce their own redundant structures and utilities.
7. Not enough or too many comments, there should be a good balance between the lines of required comments and source code which is self-explaining. If you have to many comments, there is a risk that comments are no longer up to date with the code. It’s also an indication that the code is probably too complex to understand and/or not following coding standards.

SonarQube helps to increase the quality of the code by focusing on all the 7 sins above.

Good reasons why you should think about implementing automatic code reviews

• It’s natural for everyone to make mistakes, which means that bugs and issues can occur over time.
• Manual code reviews are time consuming and mistakes can still slide through, although it’s always wise to perform both types of reviews as they are complementary to each other.
• Automatic code reviews offer objective and repeatable application insight.
• It prevents bugs and issues from slipping into production code. Catch them as soon as you can!
• It increases code readability and understandability for the team members
• Productivity will be able to increase
• It will make you and your colleagues better developers, as everyone will learn from the mistakes. Every rule comes with a detailed explanation why it was triggered and what you can do to improve it.
• Reports can be shared with the customer to express that code quality is a serious matter for your team

Things to take into account when implementing SonarQube

• SonarQube is often installed as a server process. In normal scenario’s it will run the code review only during predefined moments, like once a day.
• Server processes are often limited by hardware capacity and other running processes. Therefore, it might take some time before a code review has been processed and the results are available.
• Because of the above, in busy moments, like finished code just before the deadline, the situation can arise that the automatic code review is performed after the moment that the new source code was approved for release. This means that possible fixes are detected afterwards and must be implemented at a later moment. Try to manage your approval & release process in such a way to minimize this from happening.

If you would like to checkout SonarQube in action, visit https://sonarqube.com/ for reports on real open source projects.

The technical part

Installing SonarQube on Windows Server 2012R2

I’ve had some problems getting SonarQube running by following the default installation instructions, therefore I provide the steps I needed to get SonarQube Version 6.0 running on my system.

Prerequisites

For my personal situation I decided to install SonarQube on a Windows Server 2012R2 edition by creating a virtual machine hosted in Windows Azure. There are 2 requirements which should be taken care of:

1) Download & Install the Java JRE package from the Oracle Java download page. Just install it with your personal preferences or default settings and you should be good to go.

2) Choose a database system. I’ve installed SQL Server 2014 Express with Tools and Service Pack 2.

• Change the default collation setting during installation to case sensitive and accent-sensitive like Latin1_General_CS_AS. (It’s also possible to create a single database with this setting)
• I’ve changed the authentication to “SQL Server authentication and windows authentication” to get the first configuration steps working. (After configuring the service, I switched back to Windows authentication only)

Install SonarQube

Now we can go ahead and install SonarQube on the system with the steps & remarks below:

1) Download and install SonarQube

• Download page: http://www.sonarqube.org/downloads/
• Installation instructions: http://docs.sonarqube.org/display/SONAR/Installing+the+Server, but follow the steps below for more guidance.
• Unpack the contents of the package to a preferred location like “c:\sonarqube\”

2) Setup a fresh database

• Using the SQL Server management studio, create a new & empty database.
• Create a SQL user account like “SonarQube”, assign it to the database and give it user permissions to create, update and delete objects.
• I had some problems understanding the “The charset of the database has to be set to “UTF-8” remark. After reading a few blogs like SQL Server and UTF-8 Encoding (1) -True or False, it seems there is no setting you have to change for this. Everything worked ok for me, by just ignoring this remark.

3) Configure the TCP/IP protocol in the SQL Server Configuration Manager

Somehow this step is completely missing from the SonarQube installation wiki. I did not get SonarQube working until I’ve implemented these changes. I found them at Setting up SonarQube with SQL Server on Windows

• Enable TCP/IP for the SQL instance in the SQL Server Configuration Manager.
• Set the TCP Port for all IP addresses to 1433.

4) Update the SonarQube configuration

• Edit the <install_directory>/conf/sonar.properties file to contain our database settings. Just set the username and password as we’ve created earlier and update the url with the name of the database.

5) Run SonarQube for the first time

• Now everything has been setup correctly, you should be able to startup SonarQube for the first time by running <install_directory>/bin/windows-x86-XX/StartSonar.bat
• After the database has been provisioned you can open your browser and navigate to http://localhost:9000
• If anything goes wrong, check the log file at <install_directory>/logs/sonar.log

Run SonarQube as Windows service

Now we’ve made sure the platform is running it’s wise to run SonarQube as a windows service.

1) Stop the current command line instance of SonarQube by pressing ctrl-c in the command line window running SonarQube and wait until all processes have been ended.

2) Configuring integrated security

To run SonarQube as a service it’s good practice to use integrated security.

• Download the Microsoft SQL JDBC Driver package from http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11774 , extract it and find the sqljdbc_auth.dll file. You have to copy the 32 bit or 64 bit version of the dll depending upon the architecture of your server machine.
• Copy this dll file to a location that has been specified in your %path% variable or add a new path.
• Remove (disable) the login name and password from the <install_directory>/conf/sonar.properties
• Install the Windows service by executing <install_directory>/bin/windows-x86-xx/InstallNTService.bat
• Configure the SonarQube service via the windows services configuration panel to use a specific service account which has also been given the appropriate database rights (db_owner) in SQL server.

3) Running SonarQube via the Service

• Start the service
• Check <install_directory>/logs/sonar.log for progress and possible issues
• Browser and navigate to http://localhost:9000

Analyzing your code for the first time

Now the SonarQube platform is running its time to scan our project for the first time. Before we can do this, make sure that the plugins for our programming language have been installed (c# and javascript are available by default) and we need to choose an analysis method. The default documentation turned out to be sufficient and the update center works as a charm!

• Documentation of the update center to install plugins: http://docs.sonarqube.org/display/SONAR/Update+Center
• Documentation for using the default command line analysis scanner:
  http://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner
• Adding the <install_directory>/bindirectory of the scanner to the path variable was enough to get the scanner working.
• Add a sonar-project.properties file to the root of your project
• Run the “Sonar-scanner” from the command line in the base root of the project

That’s it. A few moments after the scan has been finished, you should be seeing the first results in the SonarQube dashboard.

I hope this article helped you to get introduced & started with SonarQube. If it’s an option for you, start implementing it in your projects to improve your team’s code quality!

REFERENCES:

• http://www.sonarqube.org/
• http://docs.sonarqube.org/display/HOME/Developers%27+Seven+Deadly+Sins
• https://reachmnadeem.wordpress.com/2013/11/17/why-sonarqube/
• http://dotnetthoughts.net/setting-up-sonarqube-with-sql-server-on-windows/
• https://blogs.msdn.microsoft.com/qingsongyao/2009/04/10/sql-server-and-utf-8-encoding-1-true-or-false/
• http://stackoverflow.com/questions/32994923/sonarqube-running-as-a-windows-service-on-sql-server-with-integrated-authenticat
• http://www.computerhope.com/issues/ch000549.htm