SonarQube is an open-source platform that is designed to help developers in monitoring the quality of their source code. It provides continuous code inspection and analysis to detect and report any code smells, bugs, vulnerabilities, and security issues that might impact the quality of the code.
SonarQube supports multiple programming languages such as Java, C#, JavaScript, Python, PHP, and many others. It integrates with different build tools and CI/CD pipelines, making it easy to automate the code analysis process. The platform provides detailed reports and metrics, enabling developers to track the evolution of their code quality over time and prioritize their efforts on the most critical issues.
Overall, SonarQube is an essential tool for ensuring that code quality is maintained, reducing the chances of errors, and ultimately improving the reliability and maintainability of software applications.
Block Diagram
Razorops enables the implementation of SonarQube to analyze code quality by detecting bugs, duplicates, vulnerabilities, and code smells. This can be achieved by configuring multiple parallel steps in the Razorops YAML file.
Quality Gates:
Quality Gates are a feature that allows users to define specific conditions that must be met in order for a project to be considered of acceptable quality. These conditions can include metrics related to code coverage, code duplication, coding standards, and potential security vulnerabilities. Quality Gates provide a way to automate the process of ensuring that software projects meet certain quality standards before they are released. When a project is analyzed by SonarQube, it is evaluated against the defined Quality Gate criteria, and a pass or fail status is assigned accordingly.
Security :
In SonarQube, Security refers to the ability of the tool to identify potential security vulnerabilities in source code. SonarQube has a built-in set of security rules that can detect a variety of security-related issues such as SQL injection, cross-site scripting (XSS), and sensitive data exposure.
SonarQube also integrates with several security-focused plugins that can extend its capabilities. For example, the OWASP Dependency-Check plugin can identify security vulnerabilities in third-party libraries, while the Snyk plugin can detect vulnerabilities in open-source dependencies.
Issues :
While running an analysis, SonarQube raises an issue every time a piece of code breaks a coding rule. The set of coding rules is defined through the associated Quality Profile for each language in the project.
Issue Types
There are three types of issues:
Bug – A coding mistake that can lead to an error or unexpected behavior at runtime.
Vulnerability – A point in your code that's open to attack.
Code Smell – A maintainability issue that makes your code confusing and difficult to maintain.
Installation steps of SonarQube
Linux OS(ubuntu) (here we use aws EC2 instance as sonarqube server)
Download SonarQube latest verions
cd /opt
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-x.x.zip
extract packages
unzip /opt/sonarqube-x.x.zip
Change ownership to the user and Switch to Linux binaries directory to start service
Useradd sonar_user
chown -R <sonar_user>:<sonar_user_group> /opt/sonarqube-x.x
cd /opt/sonarqube-x.x/bin/linux-x86-64
./sonar.sh start
Connect to the SonarQube server through the browser. It uses port 9000.
Note: Port should be opened in the Security group
http://<Public-IP>:9000
Testing process of Java code( sample Java project )
Repo for testing code quality : Razorops-code / javaloginapp
(https://github.com/Razorops-code/javaloginapp)
Create project in SonarQube:
Click on AddProject > Project key > DisplayName > ProvideToken > GenerateToken
Project key:
Display Name :
Provide Token Name and Generate Token
Next we select code related language (Ex: maven):
We get CLI commands for running project
mvn sonar:sonar \
-Dsonar.projectKey=testing \
-Dsonar.host.url=http://65.2.9.93:9000 \
-Dsonar.login=13f3308ed7250313208d102344be94adf6df9ed4
We configured these commands in the rozarops tool to facilitate the CI process
Here we take sample application for test purpose <javaloginapp>
Here we can write razorops.yaml file for build and test code quality :
.razorops.yaml:
tasks:
build-deps:
runner: razorci/openjdk:11-buster
steps:
- checkout
- commands:
- |
mvn sonar:sonar \
-Dsonar.projectKey=testing \
-Dsonar.host.url=http://65.2.9.93:9000 \
-Dsonar.login=13f3308ed7250313208d102344be94adf6df9ed4
BUILD PROCESS
Login to razorops dashboard → select the source code from github → click on build now
Then build the job …. Upon successful completion of the build process, the code will be cloned from the repository and tested in SonarQube. The resulting dashboard will display various metrics such as quality gates, code bugs, code smells, vulnerabilities, and security hotspots. show in bellow
Testing process of ruby code( sample ruby project )
Repo for testing code quality : Razorops-code / rails-sample-app-ruby
(https://github.com/Razorops-code/rails-sample-app-ruby.git)
Follow the same steps as above for create a new project in SonarQube
Click on add project > assign a name for project > assign a name for token >
Select code which u want to select same option for (python,.Net , Ruby, php…Etc)
Here we select ruby code for testing code quality and bugs … etc
For continuous integration we use RAZOROPS tool it cloud be more useful and user friendly compare to other tools
We create .razorops.yaml file with sonarqube code for checking code quality of RUBY project
We use YAML code that is
tasks:
rails-ruby-sonar-job:
runner: sonarsource/sonar-scanner-cli
steps:
- checkout
- commands:
- |
sonar-scanner \
-Dsonar.projectKey=rails-ruby \
-Dsonar.sources=. \
-Dsonar.host.url=http://65.2.9.93:9000 \
-Dsonar.login=05eb97d989880ebb3cd970186c4db2e2ba1e132b
In RAZOROPS we create NEW pipeline and setup github ruby repository when we Run build now it could automatically clone the repo and test code . when it executed successfully it show like
And automatically show the entire info on SonarQube Dashboard….
Testing process of Python code( sample Python project )
Follow the same steps as above for create a new project in SonarQube
Repo for testing code quality : Razorops-code / python-flask-demo
(https://github.com/Razorops-code/python-flask-demo.git)
Click on add project > assign a name for project > assign a name for token >
Select code which u want to select same option for (python,.Net , Ruby, php…Etc)
Here we select Python code for testing code quality and bugs … etc
For continuous integration we use RAZOROPS tool it cloud be more useful and user friendly compare to other tools
We create .razorops.yaml file with sonarqube code for checking code quality of Python project
We use YAML code that is
tasks:
rails-ruby-sonar-job:
runner: sonarsource/sonar-scanner-cli
steps:
- checkout
- commands:
- |
sonar-scanner \
-Dsonar.projectKey=python-app \
-Dsonar.sources=. \
-Dsonar.host.url=http://65.2.9.93:9000 \
-Dsonar.login=1bf58d2febae4a22923ce11d284d4d86f48d3f3f
When creating a new pipeline in RAZOROPS and setting up a GitHub Python repository, the build process can automatically clone the repository and test the code. If the build process is successful, it shows like bellow
And automatically shows entire info on SonarQube Dashboard
Conclusion :
Integrating SonarQube with RazorOps CI/CD pipeline is a simple and effective way to ensure code quality and reduce technical debt. This integration involves setting up a SonarQube instance, configuring the pipeline to run SonarQube analysis on the code, and viewing the analysis results in the SonarQube dashboard.
To integrate SonarQube with RazorOps, you need to have a SonarQube instance running and have access to its token and URL. You also need to have a basic understanding of RazorOps and SonarQube concepts.
Once you have met the prerequisites, you can follow the step-by-step instructions provided in the RazorOps tutorial to configure the pipeline to run SonarQube analysis on the code, view the analysis results in the SonarQube dashboard
By integrating SonarQube with RazorOps, you can ensure that your code meets the highest standards of quality and security, and reduce the risk of technical debt. The integration also provides valuable insights into code complexity, maintainability, and reliability, helping you make informed decisions about code improvements and refactoring.
If you require assistance with this guide, please feel free to ask for help by booking a ticket here.
Visit and Signup - https://razorops.com/
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article