How To Integrate Sonarqube With RazorOps CICD

Created by Shiva G, Modified on Mon, 24 Jul, 2023 at 7:07 AM by Shyam Mohan K


    SonarQube is an open-source platform that is designed to help developers in monitoring the quality of their source code. It provides continuous code inspection and analysis to detect and report any code smells, bugs, vulnerabilities, and security issues that might impact the quality of the code.


    SonarQube supports multiple programming languages such as Java, C#, JavaScript, Python, PHP, and many others. It integrates with different build tools and CI/CD pipelines, making it easy to automate the code analysis process. The platform provides detailed reports and metrics, enabling developers to track the evolution of their code quality over time and prioritize their efforts on the most critical issues.


    Overall, SonarQube is an essential tool for ensuring that code quality is maintained, reducing the chances of errors, and ultimately improving the reliability and maintainability of software applications.









Block Diagram 





Razorops enables the implementation of SonarQube to analyze code quality by detecting bugs,     duplicates, vulnerabilities, and code smells. This can be achieved by configuring multiple parallel steps in the Razorops YAML file.


        Quality Gates:


            Quality Gates are a feature that allows users to define specific conditions that must be met in order for a project to be considered of acceptable quality. These conditions can include metrics related to code coverage, code duplication, coding standards, and potential security vulnerabilities. Quality Gates provide a way to automate the process of ensuring that software projects meet certain quality standards before they are released. When a project is analyzed by SonarQube, it is evaluated against the defined Quality Gate criteria, and a pass or fail status is assigned accordingly.

Security : 


            In SonarQube, Security refers to the ability of the tool to identify potential security         vulnerabilities in source code. SonarQube has a built-in set of security rules that can detect a variety of security-related issues such as SQL injection, cross-site scripting (XSS), and sensitive data exposure.

                    SonarQube also integrates with several security-focused plugins that can extend its capabilities. For example, the OWASP Dependency-Check plugin can identify security vulnerabilities in third-party libraries, while the Snyk plugin can detect vulnerabilities in open-source dependencies.


Issues : 

        While running an analysis, SonarQube raises an issue every time a piece of code breaks a coding rule. The set of coding rules is defined through the associated Quality Profile for each language in the project.


Issue Types

There are three types of issues:

  1. Bug – A coding mistake that can lead to an error or unexpected behavior at runtime.

  2. Vulnerability – A point in your code that's open to attack.

  3. Code Smell – A maintainability issue that makes your code confusing and difficult to maintain.


Installation steps of SonarQube


Linux OS(ubuntu) (here we use aws EC2 instance as sonarqube server)


  1. Download SonarQube latest verions 


cd /opt  

wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-x.x.zip

 


  1. extract packages


unzip /opt/sonarqube-x.x.zip


  1. Change ownership to the user and Switch to Linux binaries directory to start service


Useradd sonar_user


chown -R <sonar_user>:<sonar_user_group> /opt/sonarqube-x.x

cd /opt/sonarqube-x.x/bin/linux-x86-64

./sonar.sh start


  1. Connect to the SonarQube server through the browser. It uses port 9000.

Note: Port should be opened in the Security group

http://<Public-IP>:9000





Testing process of Java code( sample Java project )

Repo for testing code quality : Razorops-code / javaloginapp 

(https://github.com/Razorops-code/javaloginapp)


Create project in SonarQube:


 Click on  AddProject > Project key > DisplayName > ProvideToken > GenerateToken 



Project key:








Display Name :




Provide Token Name and Generate Token



Next we select code related language (Ex: maven):








We get CLI commands for running project 


   

  mvn sonar:sonar \

-Dsonar.projectKey=testing \

-Dsonar.host.url=http://65.2.9.93:9000 \

-Dsonar.login=13f3308ed7250313208d102344be94adf6df9ed4




  • We configured these commands in the rozarops tool to facilitate the CI process


Here we take sample application for test purpose <javaloginapp>

Here we can write razorops.yaml file for build and test code quality :


.razorops.yaml:

 



tasks:

build-deps:

runner: razorci/openjdk:11-buster

steps:

- checkout

- commands:

- |

mvn sonar:sonar \

-Dsonar.projectKey=testing \

-Dsonar.host.url=http://65.2.9.93:9000 \

-Dsonar.login=13f3308ed7250313208d102344be94adf6df9ed4




BUILD PROCESS 


Login to razorops dashboard → select the source code from github → click on build now 


Then build the job …. Upon successful completion of the build process, the code will be cloned from the repository and tested in SonarQube. The resulting dashboard will display various metrics such as quality gates, code bugs, code smells, vulnerabilities, and security hotspots. show in bellow










Testing process of ruby code( sample ruby project )


Repo for testing code quality : Razorops-code / rails-sample-app-ruby 

(https://github.com/Razorops-code/rails-sample-app-ruby.git)


Follow the same steps as above for create a new project in SonarQube


Click on add project > assign a name for project > assign a name for token >

Select code which u want to select same option for (python,.Net , Ruby, php…Etc)



Here we select ruby code for testing code quality and bugs … etc 


For continuous integration we use RAZOROPS tool it cloud be more useful and user friendly compare to other tools 



We create .razorops.yaml file with sonarqube code for checking code quality of RUBY project


We use YAML code that is 


tasks:

rails-ruby-sonar-job:

runner: sonarsource/sonar-scanner-cli

steps:



- checkout

- commands:

- |

sonar-scanner \

-Dsonar.projectKey=rails-ruby \

-Dsonar.sources=. \

-Dsonar.host.url=http://65.2.9.93:9000 \

-Dsonar.login=05eb97d989880ebb3cd970186c4db2e2ba1e132b


In RAZOROPS we create NEW pipeline and setup github ruby repository when we Run build now it could automatically clone the repo and test code . when it executed successfully it show like 






And automatically show the entire info on SonarQube Dashboard….









Testing process of Python code( sample Python project )


Follow the same steps as above for create a new project in SonarQube


Repo for testing code quality : Razorops-code / python-flask-demo 

(https://github.com/Razorops-code/python-flask-demo.git)



Click on add project > assign a name for project > assign a name for token >

Select code which u want to select same option for (python,.Net , Ruby, php…Etc)



Here we select Python code for testing code quality and bugs … etc 


For continuous integration we use RAZOROPS tool it cloud be more useful and user friendly compare to other tools 

We create .razorops.yaml file with sonarqube code for checking code quality of Python project


We use YAML code that is 


tasks:

rails-ruby-sonar-job:

runner: sonarsource/sonar-scanner-cli

steps:



- checkout

- commands:

- |

sonar-scanner \

-Dsonar.projectKey=python-app \

-Dsonar.sources=. \

-Dsonar.host.url=http://65.2.9.93:9000 \

-Dsonar.login=1bf58d2febae4a22923ce11d284d4d86f48d3f3f



      When creating a new pipeline in RAZOROPS and setting up a GitHub Python repository, the build process can automatically clone the repository and test the code. If the build process is successful, it shows like bellow 










And automatically shows entire info on SonarQube Dashboard  






Conclusion :


        Integrating SonarQube with RazorOps CI/CD pipeline is a simple and effective way to ensure code quality and reduce technical debt. This integration involves setting up a SonarQube instance, configuring the pipeline to run SonarQube analysis on the code, and viewing the analysis results in the SonarQube dashboard.

        

        To integrate SonarQube with RazorOps, you need to have a SonarQube instance running and have access to its token and URL. You also need to have a basic understanding of RazorOps and SonarQube concepts.


        Once you have met the prerequisites, you can follow the step-by-step instructions provided in the RazorOps tutorial to configure the pipeline to run SonarQube analysis on the code, view the analysis results in the SonarQube dashboard


        By integrating SonarQube with RazorOps, you can ensure that your code meets the highest standards of quality and security, and reduce the risk of technical debt. The integration also provides valuable insights into code complexity, maintainability, and reliability, helping you make informed decisions about code improvements and refactoring.





    If you require assistance with this guide, please feel free to ask for help by booking a ticket here.






Visit and Signup - https://razorops.com/



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article