Static Analysis of spring boot project through SonarQube & SonarScanner

To understand what is SonarQube and why you need to use it? I think they themselves can teach you better. For that read the following documentation until you don’t feel dizziness! Although, there documentation language and elaboration of particular configuration and steps are easy to comprehend. So, have a vigorous understanding there and for the easy, step by step process to achieve static analysis; go through this blog.

SonarQube Documentation

ALL THE INSTALLATIONS

NOTE:

• remember to merge the code in the ‘master branch’ of git repository.
• java version greater than 11
• Maven download : https://maven.apache.org/download.cgi
• Maven install : https://maven.apache.org/install.html
• OR, download gradle : https://gradle.org/install/

SonarQube

• Download : https://www.sonarqube.org/downloads/
• Unzip the downloaded folder, go to its /bin folder and then select your specific machine configuration folder (like for me in D:\sonarqube-8.5.0.37579\bin\windows-x86–64, for 64 bit machine)
• open command prompt at that location.
• run StartSonar.bat file: your SonarQube software would be up for the analysis of your project

Running sonarQube— “SonarQube is up”

• After successful run, open the SonarQube API on http://localhost:9000/ . Here, you can see a fresh welcome screen, with a 0 number of projects build history. and the Multi-Language section shows the total languages SonarQube support.

SonarQube service— home page

SonarScanner

• Download according to your machine configuration: https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/

download sonar scanner

• Unzip the downloaded folder.
• Open sonar-scanner.properties file, residing inside “SonarScanner installation folder/conf” folder (for me in D:\sonar-scanner-4.5.0.2216-windows\conf) and add these lines:

# — — — Default SonarQube server
sonar.host.url=http://localhost:9000
sonar.projectKey=sonar-scanner
#path to the project which need to be analyzed, /src folder
sonar.sources=D:/myproject/Data-migration/java/elk2mongodb/src

Note : sonar-scanner.properties file is project specific.

Read more here: https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner

• Finally, add path of the SonarScanner to the environment variables.

add path into environment variables — till \bin folder

JAVA PROJECT CONFIGURATION | SONARQUBE PLUGIN

STEP 1 : add dependency for SonarQube in maven/gradle according to your build tool

• gradle plugin in build.gradle:

plugins {
  id "org.sonarqube" version "3.0"
}

• maven dependency in pom.xml:

<dependency>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId><version>3.7.0.1746</version>
</dependency>

OR take it from maven global repo : https://mvnrepository.com/artifact/org.sonarsource.scanner.maven/sonar-maven-plugin/3.7.0.1746

STEP 2: Assign global configuration

(For Maven)

Find settings.xml in installed folder of maven or .m2 folder in user.name directory, a good place to configure global repository. Now add these 2 sub-steps in it:

• pluginGroup inside pluginGroups tag:

<pluginGroups>
 <pluginGroup>org.sonarsource.scanner.maven</pluginGroup></pluginGroups>

• add a profile in profiles:

<profile>
<id>sonar</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<!-- Optional URL to server. Default value is http://localhost:9000 -->
<sonar.host.url>
http://myserver:9000
</sonar.host.url>
</properties>
</profile>
</profiles>

(For Gradle)

• find gradle.properties in ~/.gradle/gradle.properties

# gradle.properties
systemProp.sonar.host.url=http://localhost:9000
 
#----- Token generated from an account with 'publish analysis' permission
systemProp.sonar.login=<token>

STEP 3: Finally performing Static Analysis through sonar plugin.

[For Maven]

• Open your project through any IDE (I used STS).
• right click on the project and build through maven build:

building a maven project

• run sonar:sonar in goals, (but clean your project first by running ‘clean install’ in goals) and skipping tests: Skipped because I haven’t written any test cases. Finally click RUN.

running maven goals

[For Gradle]

SonarScanner for Gradle

STEP 4: After successful build,

go to http://localhost:9000 in your browser.

landing page for SonarQube

click on the number associated with the ‘Projects’ field (in my case ‘2’ (here)), which shows the count of the total projects analyzed by you (previously + currently).

This window will show your under built project’s, analysis report. Which includes total ‘bugs’, ‘vulnerabilities’, ‘Hotspots’, ‘code smell’, ‘duplication’, ‘lines’, but not ‘coverage’ for now owing to we haven’t added configuration for it.

static analysis report through SonarQube

Detailed static analysis report can be found by clicking the project name. And the report data with issues which need to be checked and rectified, are given next to the ‘overview’ tab at the navigation bar. Or, you can click the number of issues associated with each ‘measure’.

SonarQube analysis report

SonarQube, Spring boot, git

Now this is a wrap for static analysis for a spring boot project (configured on git) through SonarQube using SonarScanner.

Give some claps if you enjoyed it. And follow for more technical blogs. Thanks & Regards.