SonarQube in Action
()
About this ebook
SonarQube in Action shows developers how to use the SonarQube platform to help them continuously improve their source code. The book presents SonarQube's core Seven Axes of Quality: design/architecture, duplications, comments, unit tests, complexity, potential bugs, and coding rules. You'll find simple, easy-to-follow discussion and examples as you learn to integrate SonarQube into your development process.
About the Technology
SonarQube is a powerful open source tool for continuous inspection, a process that makes code quality analysis and reporting an integral part of the development lifecycle. Its unique dashboards, rule-based defect analysis, and tight build integration result in improved code quality without disruption to developer workflow. It supports many languages, including Java, C, C++, C#, PHP, and JavaScript.
About the Book
SonarQube in Action teaches you how to effectively use SonarQube following the continuous inspection model. This practical book systematically explores SonarQube's core Seven Axes of Quality (design, duplications, comments, unit tests, complexity, potential bugs, and coding rules). With well-chosen examples, it helps you learn to use SonarQube's review functionality and IDE integration to implement continuous inspection best practices in your own quality management process.
The book's Java-based examples translate easily to other development languages. No prior experience with SonarQube or continuous delivery practice is assumed
Purchase of the print book includes a free eBook in PDF, Kindle, and ePub formats from Manning Publications.
What's Inside
- Gather meaningful quality metrics
- Integrate with Ant, Maven, and Jenkins
- Write your own plugins
- Master the art of continuous inspection
About the Authors
Ann Campbellb and Patroklos Papapetrou are experienced developers and team leaders. Both actively contribute to the SonarQube community.
Table of Contents
-
PART 1 WHAT THE NUMBERS ARE TELLING YOU
- An introduction to SonarQube
- Issues and coding standards
- Ensuring that your code is doing things right
- Working with duplicate code
- Optimizing source code documentation
- Keeping your source code files elegant
- Improving your application design PART 2 SETTLING IN WITH SONARQUBE
- Planning a strategy and expanding your insight
- Continuous Inspection with SonarQube
- Letting SonarQube drive code reviews
- IDE integration PART 3 ADMINISTERING AND EXTENDING
- Security: users, groups, and roles
- Rule profile administration
- Making SonarQube fit your needs
- Managing your projects
- Writing your own plugins
Patroklos Papapetrou
Patroklos P. Papapetrou is a Java architect, an experienced software developer, and an agile team leader. He is also an active SonarQube community member and contributor.
Related to SonarQube in Action
Related ebooks
Java Testing with Spock Rating: 0 out of 5 stars0 ratingsDependency Injection: Design patterns using Spring and Guice Rating: 0 out of 5 stars0 ratingsRe-Engineering Legacy Software Rating: 0 out of 5 stars0 ratingsThe Art of Unit Testing: with examples in C# Rating: 4 out of 5 stars4/5Unit Testing Principles, Practices, and Patterns Rating: 4 out of 5 stars4/5Test Driven: Practical TDD and Acceptance TDD for Java Developers Rating: 0 out of 5 stars0 ratingsNetty in Action Rating: 0 out of 5 stars0 ratingsPlay for Java Rating: 0 out of 5 stars0 ratingsIsomorphic Web Applications: Universal Development with React Rating: 0 out of 5 stars0 ratingsThe Little Elixir & OTP Guidebook Rating: 0 out of 5 stars0 ratingsContinuous Integration in .NET Rating: 0 out of 5 stars0 ratingsAkka in Action Rating: 0 out of 5 stars0 ratingsElasticsearch in Action Rating: 0 out of 5 stars0 ratingsAgile ALM: Lightweight tools and Agile strategies Rating: 0 out of 5 stars0 ratingsXamarin in Action: Creating native cross-platform mobile apps Rating: 0 out of 5 stars0 ratingsDependency Injection Principles, Practices, and Patterns Rating: 5 out of 5 stars5/5SOA Governance in Action: REST and WS-* Architectures Rating: 0 out of 5 stars0 ratingsGradle in Action Rating: 4 out of 5 stars4/5Restlet in Action: Developing RESTful web APIs in Java Rating: 0 out of 5 stars0 ratingsProgramming with Types: Examples in TypeScript Rating: 0 out of 5 stars0 ratings.NET Core in Action Rating: 0 out of 5 stars0 ratingsEnterprise OSGi In Action Rating: 0 out of 5 stars0 ratingsBDD in Action: Behavior-Driven Development for the whole software lifecycle Rating: 0 out of 5 stars0 ratingsGroovy in Action Rating: 0 out of 5 stars0 ratingsErlang and OTP in Action Rating: 0 out of 5 stars0 ratingsCoreOS in Action: Running Applications on Container Linux Rating: 0 out of 5 stars0 ratingsTesting Vue.js Applications Rating: 0 out of 5 stars0 ratingsWriting Great Specifications: Using Specification by Example and Gherkin Rating: 0 out of 5 stars0 ratingsMongoDB in Action: Covers MongoDB version 3.0 Rating: 0 out of 5 stars0 ratingsEffective Unit Testing: A guide for Java developers Rating: 4 out of 5 stars4/5
Programming For You
Python Programming : How to Code Python Fast In Just 24 Hours With 7 Simple Steps Rating: 4 out of 5 stars4/5HTML & CSS: Learn the Fundaments in 7 Days Rating: 4 out of 5 stars4/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5Java for Beginners: A Crash Course to Learn Java Programming in 1 Week Rating: 5 out of 5 stars5/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Learn PowerShell in a Month of Lunches, Fourth Edition: Covers Windows, Linux, and macOS Rating: 0 out of 5 stars0 ratingsGrokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5Hacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5Learn to Code. Get a Job. The Ultimate Guide to Learning and Getting Hired as a Developer. Rating: 5 out of 5 stars5/5SQL: For Beginners: Your Guide To Easily Learn SQL Programming in 7 Days Rating: 5 out of 5 stars5/5The Unofficial Guide to Open Broadcaster Software: OBS: The World's Most Popular Free Live-Streaming Application Rating: 0 out of 5 stars0 ratingsPYTHON: Practical Python Programming For Beginners & Experts With Hands-on Project Rating: 5 out of 5 stars5/5Excel : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Excel Programming: 1 Rating: 5 out of 5 stars5/5Python Projects for Beginners: A Ten-Week Bootcamp Approach to Python Programming Rating: 0 out of 5 stars0 ratingsTeach Yourself C++ Rating: 4 out of 5 stars4/5Python: For Beginners A Crash Course Guide To Learn Python in 1 Week Rating: 4 out of 5 stars4/5Web Designer's Idea Book, Volume 4: Inspiration from the Best Web Design Trends, Themes and Styles Rating: 4 out of 5 stars4/5The Little SAS Book: A Primer, Sixth Edition Rating: 5 out of 5 stars5/5SQL All-in-One For Dummies Rating: 3 out of 5 stars3/5Pokemon Go: Guide + 20 Tips and Tricks You Must Read Hints, Tricks, Tips, Secrets, Android, iOS Rating: 5 out of 5 stars5/5Linux: Learn in 24 Hours Rating: 5 out of 5 stars5/5
Reviews for SonarQube in Action
0 ratings0 reviews
Book preview
SonarQube in Action - Patroklos Papapetrou
Copyright
For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact
Special Sales Department
Manning Publications Co.
20 Baldwin Road
PO Box 761
Shelter Island, NY 11964
Email:
orders@manning.com
©2014 by Manning Publications Co. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps.
Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15 percent recycled and processed without the use of elemental chlorine.
ISBN 9781617290954
Printed in the United States of America
1 2 3 4 5 6 7 8 9 10 – EBM – 18 17 16 15 14 13
Dedication
To the software architects, programmers, testers, project managers, executives, and end users of every piece of software ever written. We hope this book will make your lives easier.
Brief Table of Contents
Copyright
Brief Table of Contents
Table of Contents
Foreword
Preface
Acknowledgments
About this Book
About the Cover Illustration
1. What the numbers are telling you
Chapter 1. An introduction to SonarQube
Chapter 2. Issues and coding standards
Chapter 3. Ensuring that your code is doing things right
Chapter 4. Working with duplicate code
Chapter 5. Optimizing source code documentation
Chapter 6. Keeping your source code files elegant
Chapter 7. Improving your application design
2. Settling in with SonarQube
Chapter 8. Planning a strategy and expanding your insight
Chapter 9. Continuous Inspection with SonarQube
Chapter 10. Letting SonarQube drive code reviews
Chapter 11. IDE integration
3. Administering and extending
Chapter 12. Security: users, groups, and roles
Chapter 13. Rule profile administration
Chapter 14. Making SonarQube fit your needs
Chapter 15. Managing your projects
Chapter 16. Writing your own plugin
Appendix A. Installation and setup
Appendix B. Analysis
Index
List of Figures
List of Tables
List of Listings
Table of Contents
Copyright
Brief Table of Contents
Table of Contents
Foreword
Preface
Acknowledgments
About this Book
About the Cover Illustration
1. What the numbers are telling you
Chapter 1. An introduction to SonarQube
1.1. Why SonarQube
1.1.1. Proven technologies
1.1.2. Multilingual: SonarQube speaks your language
1.2. Running your first analysis
1.2.1. Installation considerations
1.2.2. Analyzing with SonarQube Runner
1.2.3. Analyzing multilanguage projects
1.2.4. Seeing the output: SonarQube’s front page
1.2.5. Drilling in: the dashboard
1.3. Seven Axes of Quality
1.3.1. Potential bugs and coding rules
1.3.2. Tests
1.3.3. Comments and duplications
1.3.4. Architecture and design
1.3.5. Complexity
1.4. The languages SonarQube covers
1.5. Interface conventions
1.5.1. Hierarchy: packages and classes in a metric drilldown
1.5.2. File details
1.5.3. Trend arrows
1.6. Related plugins
1.6.1. Technical debt
1.6.2. Views
1.7. Summary
Chapter 2. Issues and coding standards
2.1. Looking at your issues
2.2. What issues mean, and why they’re potential problems
2.2.1. Bugs
2.2.2. Potential bugs
2.2.3. Indications of (potential) programmer error
2.2.4. Things that may lead to future programmer error
2.2.5. Inefficiencies
2.2.6. Style inconsistencies (future productivity obstacles)
2.3. Where do issues come from?
2.3.1. Picking a rule profile
2.3.2. Viewing profiles and changing the default
2.4. Related plugins
2.4.1. SCM Activity
2.5. Summary
Chapter 3. Ensuring that your code is doing things right
3.1. Knowing how much of your code is doing things right
3.1.1. Understanding unit-test metrics
3.1.2. Getting reports on unit-test coverage metrics
3.2. Explaining metrics on a file level
3.2.1. Hunting source code lines with low coverage
3.2.2. Finding problems in your unit tests
3.3. Configuring your favorite code-coverage tool
3.3.1. Changing the default selection
3.4. Integration testing
3.4.1. Displaying integration testing coverage on the dashboard
3.4.2. Getting IT information in the source code Coverage tab
3.5. Related plugins
3.6. Summary
Chapter 4. Working with duplicate code
4.1. The hidden cost of duplicate code
4.2. Identifying duplications
4.2.1. Finding your first duplication
4.2.2. Finding duplications on a larger scale
4.2.3. SonarQube’s duplication metrics
4.2.4. Drilling in: from the duplications widget to the Duplications tab
4.3. Realizing the impact of code duplication
4.3.1. The DRY principle: minimizing and eliminating duplications
4.3.2. Duplications vs. size and complexity
4.4. Finding duplications across multiple projects
4.4.1. Turning on cross-project duplication detection
4.4.2. Cross-project duplications in source code tab
4.5. Cleaning up your duplications
4.5.1. Introduction to refactoring patterns
4.5.2. Applying patterns to remove code duplication
4.5.3. Time for a new commons library?
4.6. Related plugins
4.7. Summary
Chapter 5. Optimizing source code documentation
5.1. To document or not?
5.2. Even commenting has its own metrics
5.2.1. How SonarQube calculates metrics
5.2.2. What the numbers are telling you
5.3. Identifying undocumented code
5.3.1. Finding files to improve documentation
5.3.2. Viewing the generic tab in the source code viewer
5.4. Simplifying your documentation strategy
5.4.1. Picking a documentation tool
5.4.2. Defining a straightforward process
5.5. Related plugins
5.5.1. Widget Lab
5.5.2. Doxygen
5.6. Summary
Chapter 6. Keeping your source code files elegant
6.1. Keeping complexity low
6.1.1. Hunting those huge files
6.1.2. Complexity: what it looks like and how to fix it
6.2. Lack of Cohesion of Methods: files that do too much
6.2.1. Getting reports about the LCOM metric
6.2.2. Counting responsibilities
6.2.3. Refactoring for fewer responsibilities
6.3. RFC and couplings: classes with too many friends
6.3.1. Response for Class
6.3.2. Couplings
6.4. Summary
Chapter 7. Improving your application design
7.1. Layering your code
7.1.1. Looking at dashboard widgets
7.1.2. Understanding cycles and unwanted dependencies
7.1.3. Moving from project to package level
7.2. Discovering dependencies and eliminating cycles
7.2.1. Navigating the Dependency Structure Matrix
7.2.2. How the DSM works
7.2.3. Identifying cycles
7.2.4. Library management for Mavenites
7.2.5. Browsing the library-dependency tree
7.2.6. Who uses this library
7.3. Defining your architectural rule set
7.4. Summary
2. Settling in with SonarQube
Chapter 8. Planning a strategy and expanding your insight
8.1. Planning your strategy
8.1.1. Picking a metric
8.1.2. Holding your ground
8.1.3. Moving the goal posts
8.1.4. Boy Scout approach: leave the class better than you found it
8.1.5. SonarQube time: worst first
8.1.6. Re-architect
8.1.7. The end game
8.2. History and trending
8.2.1. Time Machine
8.2.2. Events and database cleanup
8.3. Everything’s a component
8.3.1. Project component view
8.3.2. No package history
8.4. Related plugins
8.4.1. Tab Metrics
8.4.2. Widget Lab
8.5. Summary
Chapter 9. Continuous Inspection with SonarQube
9.1. Introducing Continuous Inspection
9.1.1. What and how?
9.1.2. Life before and after Continuous Inspection
9.1.3. The big picture
9.2. Triggering your analysis with CI
9.2.1. Jenkins setup
9.2.2. Other CI systems
9.2.3. Best practices
9.3. Monitoring quality evolution
9.3.1. Exploring differential views in the project dashboard
9.3.2. Differential views in the issues drilldown
9.3.3. Differential views in the source code viewer
9.3.4. Choosing differential periods
9.3.5. The Compare service
9.4. Related plugins
9.4.1. Cutoff
9.4.2. Build Breaker
9.5. Summary
Chapter 10. Letting SonarQube drive code reviews
10.1. Reviewing code in SonarQube
10.1.1. Issues: a starting point
10.1.2. Confirm, comment, and assign: the simplest workflow options
10.1.3. False positives: sometimes SonarQube gets it wrong
10.1.4. Changing severity: not every issue is that bad
10.1.5. Altering the code to make SonarQube turn a blind eye
10.1.6. Viewing the audit trail
10.2. Creating manual issues: when the rules aren’t enough
10.2.1. Why you would want extra issues
10.2.2. Making manual issues
10.3. Tracking issues
10.3.1. Life cycle of an issue
10.3.2. Tracking squashed issues
10.3.3. Searching issues
10.4. Planning your work with SonarQube’s action plans
10.4.1. Why bother with action plans?
10.4.2. Managing action plans
10.4.3. Using action plans
10.4.4. Tracking action plans
10.5. Structuring a code review
10.5.1. Why: talking about code
10.5.2. Who
10.5.3. When
10.5.4. Where
10.5.5. How
10.6. Related plugins
10.6.1. JIRA
10.6.2. Taglist
10.6.3. Widget Lab
10.7. Summary
Chapter 11. IDE integration
11.1. What’s supported
11.1.1. Generic support
11.1.2. Eclipse support
11.2. Setting up Eclipse integration
11.2.1. Installing the plugin
11.2.2. Configuring the server
11.2.3. Project association
11.3. Working your assigned issues
11.3.1. Finding your assigned issues
11.3.2. Finding and fixing the code
11.4. Running a local analysis
11.5. Related plugins
11.5.1. Issues Report
11.6. Summary
3. Administering and extending
Chapter 12. Security: users, groups, and roles
12.1. Creating users and groups
12.1.1. Managing users
12.1.2. Personalization: what users can manage for themselves
12.1.3. Managing groups
12.2. Roles: who can do what
12.2.1. Project Administrator role
12.2.2. User role
12.2.3. Code Viewer role
12.2.4. Best practices for roles
12.3. System administrators
12.4. Related plugins
12.4.1. LDAP
12.4.2. OpenID
12.4.3. Crowd
12.4.4. PAM
12.5. Summary
Chapter 13. Rule profile administration
13.1. Making your own profile: copy and modify
13.1.1. Copy or start from scratch?
13.1.2. Your first profile edits and their quality implications
13.1.3. Adding rules: how to find them and why you’d want to
13.2. Profile inheritance
13.2.1. Establishing inheritance
13.2.2. Managing the relationship
13.3. Rule editing
13.3.1. Customizing individual rules: editing rule parameters
13.3.2. Cookie-cutter rules: the ones you can duplicate
13.3.3. Extend Description: the rest of the story
13.3.4. Notes: profile-specific records on individual rules
13.4. Alerts: knowing when your metrics have crossed the line
13.5. How to track profile changes
13.5.1. Changelog: who did what, when
13.5.2. Profile versions: when changes go into production
13.5.3. Profile comparison
13.6. Administrative miscellany
13.6.1. Project assignment: which project uses which profile
13.6.2. Profile backup and restoration
13.6.3. Permalinks
13.7. Plugins
13.7.1. Switch Off Violations
13.7.2. Widget Lab
13.8. Summary
Chapter 14. Making SonarQube fit your needs
14.1. Exploring filters
14.1.1. Adding a new filter
14.1.2. Customizing the filter view
14.1.3. Advanced filtering
14.1.4. SonarQube’s default filters
14.2. One size doesn’t fit all: managing global dashboards
14.2.1. Creating your first global dashboard
14.2.2. Customizing your dashboards
14.2.3. Defining default global dashboards
14.3. Getting notified by SonarQube
14.3.1. Activating the notification mechanism
14.3.2. Subscribing to event types
14.4. Adjusting global settings
14.4.1. Database cleaner
14.4.2. General
14.4.3. Localization
14.4.4. Server ID
14.5. Housekeeping
14.5.1. Backing up your SonarQube configuration
14.5.2. Working with the update center
14.6. Summary
Chapter 15. Managing your projects
15.1. Working with project dashboards
15.2. Adopting Continuous Inspection more quickly
15.2.1. Assigning quality profiles
15.2.2. Defining your own metrics
15.2.3. Excluding source code from analysis
15.2.4. Understanding versions, snapshots, and events
15.3. Exploring the rest of the project configuration
15.3.1. Changing permissions
15.3.2. Setting project links
15.3.3. Modifying the project key
15.3.4. Deleting projects
15.3.5. Miscellaneous settings
15.4. Summary
Chapter 16. Writing your own plugin
16.1. Understanding SonarQube’s architecture
16.2. Implementing the Redmine plugin
16.2.1. Creating the plugin Maven project
16.2.2. Defining the plugin’s available configuration
16.2.3. Describing the metrics: what you’ll calculate and store
16.2.4. Implementing your analyzer with a sensor
16.2.5. Creating your first widget
16.2.6. Supporting internationalization
16.2.7. A decorator example
16.3. Adding support for new programming languages
16.4. Summary
Appendix A. Installation and setup
A.1. Preparing for installation
A.1.1. Verifying Java
A.1.2. Database setup
A.2. Installing SonarQube
A.2.1. Ubuntu
A.2.2. Windows 7
A.2.3. Configuring SonarQube: Windows 7 and Ubuntu
A.2.4. Turning it on
A.2.5. Default admin account
A.3. Upgrading
A.3.1. Ubuntu
A.3.2. Windows 7
Appendix B. Analysis
B.1. Analyzing with SonarQube Runner
B.1.1. Install: Windows 7
B.1.2. Install: Ubuntu
B.1.3. Verify and configure : Ubuntu and Windows 7
B.1.4. Analyze
B.1.5. Multi-module projects
B.2. Analyzing with Maven
B.2.1. Setup
B.2.2. First analysis
B.2.3. Multi-module
B.3. Analyzing with Ant
B.4. Analysis properties
Index
List of Figures
List of Tables
List of Listings
Foreword
The software industry is still a young industry in which software quality means for many people pain,
cost,
constraint,
nice to have,
one-shot effort,
or external reviews.
Fortunately, with the Agile movement, the industry has started to realize during the last decade that software quality also means fun,
built-in,
rewarding,
and higher productivity.
Ann Campbell and Patroklos Papapetrou belong to the latter group, and they strongly believe that software quality should be a daily concern shared by all stakeholders in the industry for long-term success.
Software quality is divided into external and internal quality. External quality looks at how well the software fulfills its functional requirements: in other words, whether you’re building the right software. Internal quality looks at how well the software is designed/implemented to constantly welcome new changes: in other words, whether you’re building the software right. Industry statistics show that on average, 80% of the cost of software is spent on maintenance; there is considerable variability depending on internal quality. This makes internal quality a key component for the future cost of software.
This is the reason why managing code quality of applications has become a major concern for any company that builds or is involved in building software. Traditional approaches to managing code quality propose to test code from time to time, mainly at the end of a development phase. In the best case, this approach leads to delays and re-work; in the worse case, it leads to the shipment of poor-quality, expensive-to-maintain software. There is therefore an urgent need for a new approach: one that clearly gives ownership of code quality back to the development team; one that emphasizes quality throughout the development phase and has a shorter feedback loop to ensure rapid resolution of quality problems; in short, a model that builds in quality from the start, rather than considering it after the fact.
This is the mission we have set ourselves at SonarSource: to provide tooling for support of this new approach called Continuous Inspection. This is what we believe we have achieved with SonarQube, the open source platform to continuously manage technical debt. SonarQube has a large ecosystem, is widely adopted, and has a very large community. Ann and Patroklos are part of this community and among the most active members, contributing not only by their feedback but also by expanding the ecosystem. When they approached me with the idea of writing a book, I was thrilled, because this is clearly something that is missing in the SonarQube ecosystem. Having Ann and Patroklos writing it also meant it would have some great insight from the community and, more important, that it would contain the end-user perspective on the solution.
This book will be your companion in your journey with SonarQube. It will take you from why you should use SonarQube to installation, configuration, administration, and utilization of services, up to extending the platform. You can use it either by reading through from A to Z or as a support reference for information about a specific topic.
But that isn’t all! Ann and Patroklos also discuss the process surrounding the tool, challenge existing and missing functionality, and provide numerous tips for using SonarQube, all based on their own experience. Whatever your level of familiarity with the product, you’ll learn from this book. This is what, in my opinion, makes this book a unique source of information for a successful implementation.
Enjoy!
OLIVIER GAUDIN
CEO AND COFOUNDER
SONARSOURCE
Preface
Would you like to help me write a book about Sonar?
My reaction was immediate: Yes!
I knew Patroklos Papapetrou from the Sonar mailing list, and I was aware that he was pitching Sonar in Action (now SonarQube in Action, to match the technology’s new name) to Manning. What I didn’t know was that he wanted a coauthor. Because I was a native English speaker and active (and helpful) on the list, he thought of me. I had only been a member of the list for about six months, but I’d been aware of Sonar since late 2008 when my boss came across a mention of Sonar and asked me to evaluate it.
I was coding in Java at the time, but I had started my programming career with Perl and C. Lint was your friend, and bugs were found the hard way—by the users. So I found Sonar intriguing. It promised to scan each line of code and point out all kinds of things that were wrong or could go wrong. But to use it, you had to be building with Maven. Unfortunately, we were in an Ant-build shop. Sonar was off the table.
Fast-forward to early 2010. Sonar was approximately three years old, but already it was gaining broad acceptance among community and enterprise users and being downloaded more than 2,000 times a month. Patroklos had found the Sonar website while researching software quality tools, and it was a classic boy-meets-software story. (Cue the sappy music.) It didn’t take long before he was in love and Sonar was one of his favorite tools.
Meanwhile, I had begun moving our Ant builds to Jenkins (it was still called Hudson then), and I stumbled across the Sonar plugin for Hudson. It works differently now, but at the time, it performed a shallow Maven-ization
of a non-Maven project and ran an analysis. Hmmm. Maybe Sonar was back on the table.
I installed Sonar and the plugin on my localhost and ran an analysis. When I poked around in the results, I didn’t understand everything I was seeing, but I knew I liked the way it presented issues in the context of the offending code. And because Sonar had a web-based front end, instead of having to send quality reports to people, I could send the people to the reports! When I showed my colleagues, they agreed that what we were seeing was good stuff, so we teamed up on our management.
We pretty quickly got first-level management’s buy-in to pilot Sonar, and we started talking about it to anyone who would listen. Pretty soon other teams were approaching me to set them up with that Sonar thing.
We were seeing a viral adoption. After only a couple of months, management at the next level up said that everyone needed to be on Sonar by the end of the year.
By this time it was early 2011, and Patroklos was an active member of the Sonar community. He had spent 2010 telling everyone he knew about Sonar via his articles and blog posts. He also implemented his first Sonar plugin that year. By August of 2011, he was such a prominent figure in the small Sonar community that another publisher approached him to write a book about it. He was flattered, but didn’t have the time to do it justice, so he turned it down.
But although Patroklos didn’t write that book, he didn’t forget the idea. When his schedule cleared at the end of the year, he approached Manning about writing Sonar in Action. A few short months after that, we were on our way.
Our goal in writing this book has been to condense the SonarQube lessons we learned in the last few years, combine them with whatever wisdom we can lay claim to from our combined 30 years of programming, and put a bow on all of it for you. The first time I ran a Sonar analysis, I didn’t understand some of the things I was seeing, but we don’t want that to happen to you. We’ll tell you not only what SonarQube’s metrics mean, but also why you should care and (unless it’s really, really obvious) what steps to take in your code to get started fixing what’s wrong. We’ll help you plan a strategy for tackling your technical debt, and we’ll show you how to make SonarQube a part of your routine rather than something extra you have to remember to do. We’ll guide you in twiddling SonarQube’s knobs so you can tune it to get the best experience in your environment. And finally, in case you feel the need, we’ll show you how to get started writing your own SonarQube plugin.
Over and over, I’ve seen this in action: good programmers are passionate about quality code. Show us what the problems are, and we’ll be almost compelled to fix them. In the past, the hard part has been pinpointing the problems. With SonarQube, the only hard part is finding the time to deal with them. Code quality used to be hard. Now it’s easy. Welcome to SonarQube.
ANN CAMPBELL
Acknowledgments
When we signed up to write this book, we didn’t know how much effort it would require. It was for both of us our first authoring attempt, and although Ann had considerable experience with documentation and journalism, Patroklos’s most recent writing had taken place a decade earlier. Without the assistance of many people, this book would definitely not be in your hands or on your screen right now. It’s much more likely that we would still be working on it.
From day one of the project, help has poured in, and all of it has been not only appreciated but essential. If we’ve forgotten anyone, please accept our sincere apologies. In no particular order, we’d like to thank the following people for their work and support.
Manning Publications
Many thanks to publisher Marjan Bace for accepting the initial proposal of two new and inexperienced authors. He helped the book take its first—and most important—step.
Thanks to Christina Rudolph and Michael Stephens, who were the first two people we talked with about the book. They guided us as we improved our proposal, and they explained the publishing process in detail.
Hillary Clinton said it takes a village to raise a child. It turns out that it takes one to produce a book, too. Clearly, our development editor, Susanna Kline, deserves a shout-out for her continuous support and help. Her patience and encouragement were invaluable.
Thanks to Bert Gates and Cynthia Kane for teaching us how to write our first chapters following Manning style.
Thanks to Candace Gillhoolley for her marketing efforts on the first MEAP release. She is a master of social media.
Knowing that we didn’t have to worry about every semicolon because a copyeditor would come after us has been tremendously freeing; our thanks to Tiffany Taylor. And thanks to many other members of the Manning team who helped us behind the scenes: Maureen Spencer, Kevin Sullivan, Olivia Booth, Toma Mulligan, Mary Piergies, Dottie Marsico, and Janet Vail. And special thanks to our technical proofreader, Craig Smith, for his final review of the manuscript shortly before it went into production.
The SonarSource team
Of course, without SonarQube itself, the book wouldn’t have been possible. That puts the folks at SonarSource squarely at the front of the line for thanks for their incredible free and open source contribution to software quality. More than simply providing the software, they’ve actively supported this book. SonarSource CEO Olivier Gaudin and Product Director Freddy Mallet reviewed each chapter, offering invaluable feedback and insight. The fact that we have their blessings and support ... wow. We couldn’t ask for more. Without their help, we wouldn’t have been able to publish this book with the most updated material.
The reviewers
Thanks to our MEAP readers and to the reviewers who read the manuscript at various stages during its development and gave helpful comments and feedback to our editors and to us: Alex Garret, Bobby Abraham, Brandon Campbell, Chris Baxter, Christopher Taylor, Gregor Zurowski, Jason S. Shapiro, Javier Garcia Martin, Joshua White, Mark Elston, Michael Hüttermann, Mikkel Arentoft, Rashid Jilani, Reinhard Prehofer, Robert Wenner, and Steven Hicks.
Ann Campbell
I’d like to thank my husband, Charles Nix; my dog; and the rest of my family for their patience with me this past year as I concentrated on writing rather than on ... really, anything else in my life.
I’d also like to thank my high school English teacher, Dr. Richard L. Handlesman (Doc
to his students), for forcing me to write an essay every two weeks; and my mother, Polly Campbell, for teaching me to write them (whether I wanted to learn or not).
Patroklos Papapetrou
I’d like to thank my loving and beautiful wife, Anna, for her patience all these months, especially during the weekends. Without her encouragement, I wouldn’t have managed to finish my part of the book. Thanks to my sons, Panagiotis (age 4) and Charis (age 2), who understood that sometimes Daddy couldn’t play with them or go to the park. You can have me back now! Thanks to our families for their patience as well and for sometimes watching the kids to let me work on the book.
About this Book
Welcome to SonarQube in Action. This book is aimed at turning all the tedious and sometimes hard-to-understand stuff about source code quality and software metrics into an exciting experience. It aims to become the Holy Bible of software quality: a reference for every development team that wishes to improve their source code. You’ll see that metrics are meaningful and affect several aspects of your software’s health. In this journey, SonarQube will be our pilot. SonarQube is an open source platform for continuously measuring, managing, tracking, and improving source code’s quality.
How this book is organized
We begin each chapter of the book by describing a real problem/situation, and then we talk about the features of SonarQube and the relevant metrics that help you address and eventually solve that problem. We elaborate by providing some theoretical background, we discuss best practices (if any), and we end each chapter by talking about relevant—to the chapter’s topic—SonarQube plugins and how you can take advantage of them.
Now it’s time to list in detail the book’s content.
Part 1 gives you an overview of SonarQube, explains the seven axes of quality (like the seven deadly sins of software development), and sets the stage for the following parts. We introduce SonarQube’s key features and benefits and discuss the core metrics that SonarQube calculates.
Chapter 1 sets the scene, introducing the core concepts of SonarQube. We begin by showing you what you should expect to see when you analyze a project using SonarQube for the first time. We briefly discuss the different metrics presented in SonarQube’s dashboard. At the end, we present the Technical Debt plugin.
Chapter 2 introduces the topic of code issues. You’ll learn, among other things, where they come from and how they’re related to bugs or potential bugs.
Chapter 3 is all about testing (unit and integration). It describes the importance of code-coverage metrics and how they’re calculated, and it gives you some tips for improving the test quality and coverage of your code.
Chapter 4 focuses on duplicated code by illustrating the problems that may arise and the resulting impact on the quality and maintainability of your source code.
Chapter 5 deals with a topic which is rarely considered by development teams as a quality factor: documentation. You’ll find out when and why it’s a good practice to document your code, and we’ll present a proposed documentation strategy that fits any development process.
Chapters 6 and 7 talk about design and complexity. Although some may argue that they’re more or less the same thing, we’ve chosen to split them in order to provide more examples and illustrate their value in code quality.
Part 2 discusses how you can get the best out of SonarQube, where it fits in any development lifecycle, and how to make it part of your everyday work life. It also introduces the concept of Continuous Inspection, which is the ultimate target when talking about software quality.
Chapter 8 discusses several approaches for improving the quality of your source code. You can pick one or all of them based on your experience. Then we’ll take you on a tour of all the possible data perspectives that SonarQube offers, and we finish by explaining the concepts of history and trending.
Chapter 9 delves into the details of Continuous Inspection. We’ll talk about integrating SonarQube with Jenkins, and you’ll learn about the star feature of differential views that lets you track quality evolution over time.
Chapter 10 deals with the popular practice of code reviews and explains how you can benefit from SonarQube. You’ll find out how issues are associated with reviews, how to track them, and what SonarQube features let you plan your work with action plans.
Chapter 11 talks about integrating SonarQube with Eclipse. Enjoy most of the SonarQube advantages without leaving your IDE by following the step-by-step guide provided in this chapter.
Part 3 covers several administrative topics and gives you ideas about customizing and tuning SonarQube to make it suitable for any kind of project. In an enterprise environment with a SonarQube installation that hosts several projects, it’s a good idea to adjust many of SonarQube’s predifined settings to fit your needs. This part of the book also teaches you step by step how to extend SonarQube by writing a custom plugin.
Chapter 12 explores security concepts, including users, roles, and groups. You’ll learn how to delegate authentication and authorization to external systems (LDAP, OpenID, and so on).
Chapter 13 deals with managing coding rules and organizing them in quality profiles. You’ll also discover how you can create your own rules or edit existing ones and trigger alerts when metrics fall below a threshold.
Chapters 14 and 15 discuss global and project administration, including filters, dashboards, and user notifications. The latter also provides a simple path for adopting Continuous Inspection by discussing useful SonarQube features that will assist you in this direction.
Chapter 16 is dedicated to teaching you how to extend SonarQube. Although it’s not possible to cover everything in a few pages, we provide a complete example of implementing a real SonarQube plugin. We also give you some insights into adding support for new programming languages.
The book also has two appendixes that will help you with the basics, especially if you’re a SonarQube newbie:
Appendix A focuses on installing SonarQube in Linux and Windows.
Appendix B provides all the necessary details to run your first analysis with SonarQube.
One last thing—don’t expect to find correct code in this book. Chapter 16 is the only exception to that rule, because it deals with writing plugins. Most of the examples intentionally illustrate bad habits in coding, and their purpose is to point out what you should avoid. Nevertheless, in some cases we’ve included a refactored version to show you that by using SonarQube, you can begin to understand these nasty metrics and dramatically improve the quality of your code.
How to use/read this book
Each person has their own reading style, and we can’t force you to change it for this book. But we can still give you a couple of ideas on how to get the most out of this book.
Every chapter is organized in such a way that you can read it separately from the rest. We do suggest that you read chapter 1, especially if you’re not an experienced SonarQube user, because it’s an overview of SonarQube and introduces some basic ideas you may need when reading the rest of the book.
If you decide to read the book sequentially, you’ll find that each chapter is connected to the previous one, and the chapters flow smoothly, without gaps. But again, you can skip any chapter and come back later if you want to.
We did our best to ensure that this book will become a reference for you whenever you need to learn or remember anything about SonarQube or its computed metrics.
Who should read this book
Believe it or not, source code quality is a topic that targets almost everyone who participates in a software project. Although we provide several code examples, you don’t need to be a code expert to read this book. You also don’t need to be familiar with Java, because the code listings and snippets are so simple that anyone with basic programming skills can understand them. Besides, don’t forget that most of the examples in the book show you poor or bad code, to illustrate techniques and habits you should avoid. We do expect that you have some basic knowledge about software quality metrics.
The book is aimed at the following professionals:
Software engineers (developers, designers, architects)—This is the book’s primary target audience. Software engineers live a day-by-day battle to achieve software quality, hunting and fixing bugs, adding new features, and designing and redesigning the logical architecture of the system. Not to mention that all these things have to be done within strict deadlines and constantly changing business requirements. This book will help you spot the parts of the software that need your attention so you can take immediate action.
Quality assurance staff and testers—QA stuff nowadays plays a valuable role in software engineering. In most cases, these people are part of the development team, and it’s up to their judgment whether a product should be released. If you fall in this category, this book will teach you how to track the quality of the software under devlopment in an easy and comprehensive way, how to define criteria and thresholds for critical metrics, and, eventually, how SonarQube can assist you in decision making.
Project/Product managers and team leaders—The era of project/product managers and team leaders sitting in an office, isolated from the rest of the development team, has passed. Managers exist to do more than read weekly reports and track down timelines and deliverable. They must have a clear view of the software and especially its quality in order to assist team members and get them on the right track. This book explains all the quality axes without unnecessary technical details. It provides you with a guide to how you can automatically track quality measures in source code over time and improve the development lifecycle by introducing new practices such as code reviews and Continuous Inspection.
Code conventions and downloads
All the source code in the book, whether in code listings or snippets, is in a fixed-width font like this, which sets it off from the surrounding text. In most listings, the code is annotated to point out the key concepts, and numbered bullets are sometimes used in the text to provide additional information about the code. We have tried to format the code so that it fits within the available page space in the book by adding line breaks and using indentation carefully.
Source code for all the examples and the plugin from chapter 16 are available at www.manning.com/SonarQubeinAction. If you want to get the most updated source code for the plugin—remember, it’s a real one, so the latest version is likely to be different from the code shipped with the book—it’s available at the following GitHub link: https://github.com/ppapapetrou76/sonar-redmine-plugin.
What this book doesn’t do
This book should not be considered a user or administration guide for SonarQube. If you just want to learn how to use SonarQube, the online documentation at http://docs.codehaus.org/x/EoDEBg should be sufficient.
This book also doesn’t explain the underlying tools with which SonarQube integrates, such as PMD, FindBugs, Checkstyle, and so on. You’re encouraged to visit the corresponding websites to learn more about their purpose.
In some chapters, we include tips and best practices for refactoring as well as some introductory material. But this book doesn’t teach you how to refactor your code.
Author Online
The purchase of SonarQube in Action includes free access to a private web forum run by Manning Publications, where you can make comments about the book, ask technical questions, and receive help from the authors and from other users. To access the forum and subscribe to it, point your web browser to www.manning.com/SonarQubeinAction. This page provides information on how to get on the forum once you are registered, what kind of help is available, and the rules of conduct on the forum.
Manning’s commitment to our readers is to provide a venue where a meaningful dialogue between individual readers and between readers and the authors can take place. It is not a commitment to any specific amount of participation on the part of the authors whose contribution to the forum remains voluntary (and unpaid). We suggest you try asking the authors some challenging questions lest their interest stray!
The Author Online forum and the archives of previous discussions will be accessible from the publisher’s website as long as the book is in print.
About the authors
G. ANN CAMPBELL has 15 years of experience in Perl, C, C++, Java, and web technologies on variously sized and organized teams, and she has spent far too much time achieving code quality the hard way without SonarQube.
PATROKLOS P. PAPAPETROU is a Java architect, an experienced software developer, and an Agile team leader. He’s an active SonarQube community member and contributor.
About the Cover Illustration
The figure on the cover of SonarQube in Action is captioned Habit of a Bonze of China in 1700.
A bonze is a Buddhist monk. The illustration is taken from Thomas Jefferys’ A Collection of the Dresses of Different Nations, Antient and Modern (4 volumes), London, published between 1757 and 1772. The title page states that these are hand-colored copperplate engravings, heightened with gum arabic. Thomas Jefferys (1719–1771) was called Geographer to King George III.
He was an English cartographer who was the leading map supplier of his day. He engraved and printed maps for government and other official bodies and produced a wide range of commercial maps and atlases, especially of North America. His work as a mapmaker sparked an interest in local dress customs of the lands he surveyed and mapped, which are brilliantly displayed in this four-volume collection.
Fascination with faraway lands and travel for pleasure were relatively new phenomena in the late 18th century, and collections such as this one were popular, introducing both the tourist as well as the armchair traveler to the inhabitants of other countries. The diversity of the drawings in Jeffreys’ volumes speaks vividly of the uniqueness and individuality of the world’s nations some 200 years ago. Dress codes have changed since then and the diversity by region and country, so rich at the time, has faded away. It is now often hard to tell the inhabitant of one continent from another. Perhaps, trying to view it optimistically, we have traded a cultural and visual diversity for a more varied personal life. Or a more varied and interesting intellectual and technical life.
At a time when it is hard to tell one computer book from another, Manning celebrates the inventiveness and initiative of the computer business with book covers based