Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Making SonarQube work for you

Making SonarQube work for you

In a perfect world, all code would likewise be perfect - but here in the real world, that's not usually the case, and code that you or your colleagues write will always have one or two flaws that sneak in when you’re not looking. SonarQube is a tool that aims to shine a light on those flaws, and give you a way of enforcing your code quality standards as part of your CI/CD process so you can keep quality high even as your project grows and changes over time.

In this session, I'll be taking you through what SonarQube does and how you can customise it to fit your project and process. SonarQube has support baked in for analysing a wide variety of languages and technologies, and I'll be talking about how you can customise the rules and quality standards being applied to focus only on the problems you care about. I'll also be going over how you can extend SonarQube to support additional languages and technologies and how to integrate it with your existing CI/CD tools. Finally, I'll cover some problems my colleagues and I have run into while introducing SonarQube into our organisation, and will offer some ways to solve them.

0007cb22edf57bbd8f8c64e1e7da003d?s=128

Peter Roberts

March 02, 2019
Tweet

Transcript

  1. +44 1274 300 175 blackmarble.com Making SonarQube work for you

  2. +44 1274 300 175 blackmarble.com Peter Roberts @sarkimedes peterwynroberts.com Black

    Marble
  3. +44 1274 300 175 blackmarble.com What is SonarQube?

  4. +44 1274 300 175 blackmarble.com What is SonarQube? • Static

    code analyser • Designed for continuous analysis • Wires into build pipeline and can give metrics over time • Runs on cloud or on-prem
  5. +44 1274 300 175 blackmarble.com Why use SonarQube? • 3

    reasons: • Fewer bugs • Catch programming errors before they make it into production • Better code quality • Better maintainability, testability etc. • Less technical debt • Easier governance • Provides a central place to surface metrics • Makes it easy to apply consistent standards across projects
  6. +44 1274 300 175 blackmarble.com A brief look at SonarQube

  7. +44 1274 300 175 blackmarble.com SonarLint • Plugin for •

    Visual Studio • Visual Studio Code • Eclipse • IntelliJ • Allows you to connect your IDE to SonarQube to get feedback as you write code
  8. +44 1274 300 175 blackmarble.com How to analyse a project

    • Quick and dirty approach: • Run analysis via the command line • Recommended approach: • Run analysis as part of CI pipeline
  9. +44 1274 300 175 blackmarble.com How often do I need

    to run analysis? • Ideally: At least every commit to main/trunk/master • Depends on how frequent that is • Running analysis will add some time to your build pipeline • If server is getting overloaded, consider running nightly • If using Git, consider adopting a pull request workflow and running analysis on commits to master • Also allows you to fail pull requests on quality gate failure
  10. +44 1274 300 175 blackmarble.com Demo: Analysing a project in

    Azure DevOps
  11. +44 1274 300 175 blackmarble.com

  12. +44 1274 300 175 blackmarble.com Customising rulesets • Rules can

    be suppressed via the web interface Or • Suppressed in code:
  13. +44 1274 300 175 blackmarble.com Extending SonarQube

  14. +44 1274 300 175 blackmarble.com Xpath rules • Can be

    added directly to the server • Only supported on a few project types • XML • Python • PL/I • PL/SQL • Flex
  15. +44 1274 300 175 blackmarble.com Linking in Roslyn analyzers •

    Rules put in by Roslyn analyzer packages also appear in SonarQube when running with Azure DevOps build steps
  16. +44 1274 300 175 blackmarble.com Demo: Roslyn Analyzers

  17. +44 1274 300 175 blackmarble.com Writing a custom plugin •

    2 approaches: • Take data in from other tool • Write code parser from scratch • Plugins are written in Java • Saved as .jar files on the SonarQube server
  18. +44 1274 300 175 blackmarble.com Plugins: Taking output from other

    tools • If already using another tool to analyse code metrics • Allows you to surface metrics from that tool in SonarQube and use • Requires some translation between tool output and SonarQube issues
  19. +44 1274 300 175 blackmarble.com Plugin class • Root of

    plugin project • Important parts: Rules Definition, Sensor
  20. +44 1274 300 175 blackmarble.com Rules Definition • Repository of

    rules used by SonarQube to perform analysis • Rules are loaded in via XML
  21. +44 1274 300 175 blackmarble.com Sensor • Reading issues in

    from XML path • Creates new issue on Rules Definition
  22. +44 1274 300 175 blackmarble.com Rule XML format • Name

    and description are used in SonarQube web UI • Remediation function is used to estimate fix time
  23. +44 1274 300 175 blackmarble.com Issue XML format • Not

    set by SonarQube • Used here to try to match internal SonarQube models
  24. +44 1274 300 175 blackmarble.com Plugins: Writing from scratch •

    Requires you to be able to build an abstract syntax tree for your language of choice • SonarQube SDK has some tooling to help with this • Still a complex undertaking, so 90% of the time there are easier options
  25. +44 1274 300 175 blackmarble.com Introducing SonarQube to your organisation

  26. +44 1274 300 175 blackmarble.com Step 1: Buy-in • The

    most important thing when trying to bring new tooling in is getting buy-in from the people it’s going to affect • Before starting to enforce rules and quality gates, everyone needs to agree on what the rules are • Avoid imposing new rules and standards on people
  27. +44 1274 300 175 blackmarble.com Step 2: Adding it to

    a project • Quite a few different approaches • How strict do you want to be? • How big a project do you want to start with? • Avoid information overload • Start with a smaller/younger project • Turn on fewer rules/ more lenient quality gates • Only enforce quality gates on new code
  28. +44 1274 300 175 blackmarble.com Editions • 5 different versions

    available: • On-prem • Community • Developer • Enterprise • Data Center • Cloud • SAAS offering, similar to Developer edition • Hosted in Germany • Pricing based on SKU and lines of code • LOC counted by SonarQube when it does an analysis
  29. +44 1274 300 175 blackmarble.com Version differences On-Prem Community Developer

    Enterprise Data Center Cloud Price Free €120 - €50,000 p.a. €15,000 - €180,000 p.a. €100,000+ p.a. Free (public), €10-€4000 p.c.m. (private) Min/max LOC - 100K – 20M 1M-100M 20M+ 100K – 20M Extensions Yes Yes Yes Yes No Custom rulesets Yes Yes Yes Yes Yes Branch analysis No Yes Yes Yes Yes Governance features No No Yes Yes No High availability No No No Yes No
  30. +44 1274 300 175 blackmarble.com Language coverage • Java •

    JavaScript • C# • TypeScript • Kotlin • Ruby • Go • Scala • Flex • Python • PHP • HTML • CSS • XML • VB.NET • Developer: • C/C++ • Objective-C • T-SQL • ABAP • PL/SQL • Swift • Apex (cloud only) • Enterprise: • Apex • COBOL • PL/I • RPG • VB6 • Community:
  31. +44 1274 300 175 blackmarble.com What version do I need?

    • How many LOC do you have? • Do you need branch analysis, high availability etc.
  32. +44 1274 300 175 blackmarble.com Questions