Static Code Analyzers - SonarQube - Is it for developers or managers or architects?

I hope, you have already read "Preface" of my static code analyzers series.

Regardless you are developer or manager or architect, how meticulous are you about the quality of the software code you deliver?

I believe that as a developer you would be already using or aware about some of known static code analyzer  tools for keeping code clean and improving quality such as Checkstyle, PMD, FindBugs, CodePro Analytix...? If not, then read my previous post - Checkstyle,PMD, FindBugs - Are those alternatives or not? or GoogleCodePro AnalytiX - Why is it premium eclipse plugin for java developers?.

In this post, I would try to explain - How SonarQube is beneficial to all developers, managers and architects! First of all spend 5-10 minutes to try SonarQube online by exploring available quality reports of one of open source projects hosted on online instance of SonarQube, if you don't know what is SonarQube!

Straight from the horse's mouth

SonarQube® software (previously called Sonar) is an open source quality management platform, dedicated to continuously analyze and measure technical quality, from project portfolio to method.

• As such, it covers the 7 axes of code quality: Architecture and Design, Duplications, Unit tests, Complexity, Potential Bugs, Coding Rules and Comments.
• Covering new languages, adding rules engines, computing advanced metrics can be done through a powerful extension mechanism. More than 50 plugins are already available. More than 20 programming languages are covered through plugins including Java, C#, C/C++, PL/SQL, Cobol, ABAP…

My Personal Feedback

• When to use and key features?
• Use a single SonarQube platform, which offers numerous features to improve software quality and reduce application maintenance cost by engaging multiple stakeholders (such as developers, managers, architects…). It can be extended further by integrating external plugins.
• Architects should aim to setup SonarQube and Jenkins integration (or any supported continuous integration tools) for leveraging continuous inspection of overall code quality  at the file, module, project or portfolio level. Then individual  stakeholders can have custom dashboard reporting for own area of interest.
• Architects and Managers can use different available visualization / reporting views in SonarQube to track and control overall quality of the delivered software code by development team over time. For example - (i) Increasing Technical Debt will sign the degrading quality of software architecture and development within a codebase (ii) Different views (such as historical information, timelines, dynamic charts...) are available  to monitor how software quality is evolving over time (iii) SCM statistics plugin provides authors activity and commits per author widgets, which can be useful to managers to observe team members' efficiency…
• Java developers can check the source code before pushing it to the SCM: either directly in Eclipse or IntelliJ or by running an analysis with the Issues Report plugin. If you are developer, then you should know that how to deal with developers' seven deadly sins using SonarQube. This would increase your efficiency and let you make sure that you are not introducing new quality issues.
• Initial learning curve and ease-of-use?
• It is easy to use and learn, but you cannot practice it effectively until you know at depth that how to interpret accredited quality standards in the available reports.
• Setup requirements?
• (1) Setup SonarQube Server --- If Java is installed on the machine, then you can simply setup SonarQube server in less than 5 minutes. You may setup SonarQube as a service on windows / service on linux. I would strongly recommend to switch default embedded H2 database with supported database such as MySQL, MSSQL, etc. For that, you need to edit database and jdbc configuration in "/<sonar-home>/conf/sonar.properties" file (e.g. If you create "sonar123" database in MySQL, then configure " sonar.jdbc.url" as "sonar.jdbc.url:  jdbc:mysql://localhost:3306/sonar123?useUnicode=true&characterEncoding=utf8")
• (2) Setup SonarQube Client --- For the source code analysis, you can setup one or more clients suitable to your project requirement, as there are multiple client options available (which integrates with SonarQube server) such as SonarQube Runner, Maven, Ant, SonarQube Eclipse plugin, etc...
• Cost (Free or Commercial)?
• SonarSource products come in different editions  (community edition and commercial editions) to meet the needs of small, medium and large enterprises. 
• SonarQube CE enables small development teams to raise code quality at no cost.
• Limitations/ Challenges?
• Some of commercial tools provide code query language such as in jArchitect. I didn't find similar ability in SonarQube, which can be really nice-to-have feature!
• I didn't find single page containing tabular list of all plugins, where we can quickly check free vs. commercial plugins! So if you opt SonarQube CE, then one of challenge is that you need to check one by one - what all SonarQube provided plugins would fit your project need? Additionally you may also require evaluating external available plugins for your requirement. Finally you need to check are those selected plugins are available freely or chargeable? 

Practical Shot

Though SonarQube supports more than 20 programming languages, for demonstration purpose - I performed analysis on the java code of one of open source project, which I used in past (MockMock: a cross-platform SMTP server built on Java which allows you to mock email sending functionality and to see how emails look like).

• The chosen project is Maven based, so I preferred to run the source code analysis using Maven. For that firstly I added SonarQube server configuration in "settings.xml" file of Maven. Secondly I added "sonar-maven-plugin" configuration in "pom.xml" file of the project. Finally I executed command "mvn sonar:sonar", which performed analysis and stored the results in the sonar server database.  That's it.

• Then I accessed generated reports using browser and captured below few screenshots with most of default configuration. Still aren't those full of information related to overall quality standards of the software codebase? Aren't those easy to interpret and useful to all stakeholders such as Developers, Managers, Architects and QA? You would realize power of SonarQube, if you compare those with analysis results of the same codebase produced by other static code analyzer tools such as Checkstyle, PMD, FindBugs and CodePro AnalytiX. In fact you can make it more powerful by installing more plugins and applying advance level of configuration.  

• Also I captured few screenshots as below using SonarQube Eclipse plugin, which is focused to improve java developer efficiency.  One of the challenge I faced was that I was not able to associate project with SonarQube in Eclipse. Finally I found that for Maven based project the maven artifactid and eclipse project name must be same. Refer more detail about working with SonarQube Eclipse plugin.

My Final Thoughts

• If project is very small with short-term scope (e.g. implementation phase is limited to 2-3 months and has less than 5 team members), then  developers may use any known static code analyzer tools (just by installing plugin in Eclipse) for code review such as PMD, FindBugs, Codepro AnalytiX, etc. Otherwise it is worth to invest in SonarQube server setup as part of project software tooling and engage all stakeholders to control overall code quality of software architecture and development over time.

• Sometimes such tools are introduced in the projects when more than 50% of development is completed, but that may penalty with need of high efforts on code refactoring to improve code quality. Hence I highly recommended to introduce SonarQube tool at team level in the early phase of the development cycle and managers/architects should inspect quality reports continuously to ensure high quality standards of the software.

• If you are manager or architect, you can use its browser based UI to explore numerous reports available in SonarQube. If you are developer,  you should check the source code quality before pushing it to the SCM: either directly in Eclipse or IntelliJ or by running an analysis with the Issues report plugin.

• Ready to improve quality using SonarQube? --- (1) Setup SonarQube server and install additional plugins as applicable. (2) Configure for selected source code analysis strategy & run an analysis. (3) Refer user guide to know that how to browse SonarQube, customizing dashboard and interpret reports. Take necessary actions to improve software code quality which meets the accredited quality standards.

Disclaimer

I don't aim to exploit code of any open source project or sample application, while I share my evaluation feedback of given tool on selected publicly available code. Also I am not biased to particular free or commercial tools, rather my objective is about sharing my own experience on set of tools.

Also Read

• http://www.sonarqube.org/screencasts2/installation-of-sonar/
• http://eclipse.dzone.com/articles/static-code-analysis-and
• http://www.kodelog.com/coding-custom-sonarqube-plugin/