I’m currently playing around with SonarQube, an open source platform for continuous inspection of code quality, and so far i’ve discovered that it is a lot more interesting than I thought it would be. Therefore, I’ve decided to share my initial findings.
What is SonarQube?
Probably the easiest way to understand what SonarQube is, is by comparing it with something you already know. In many ways it is similar to tools like Resharper, CodeRush or FxCop (all tools for static code analysis). However, when using SonarQube, the analysis is part of your ALM process and comes with rich reporting capabilities. This way, you can manage code quality at a global level.
In addition, this also allows the introduction of Quality Gates and Remediation Policies (cleanup code as you go). The last part is important because you don’t want to start with a large list of issues. Fortunately, it’s not very difficult to include all existing issues within a project baseline and only show inconsistencies within new code.
Now I don’t want to rehash everything I’ve read and therefore included resources I found helpful within the Helpful resources section below. Really though, the best way to understand what this platform has to offer is by analyzing your own code.
How to get started with SonarQube
Setting up a non-production instance in simple. Just follow the steps as covered within the Get Started in Two Minutes guide.
Note: This guide is only meant to get a quick impression. Which is also visible within the management portal.
When installing SonarQube, just make sure you that;
- You have Java installed (Oracle JRE 8 onwards or OpenJDK 8 onwards) on your machine.
- Select a matching windows-x86-xx version based on your OS and Java JRE/JDK
- You must be able to read and write within the SonarQube directory.
- The files located in x:\sonarqube\temp might be locked by other java processes. This might happen when something went wrong when staring the Wrapper. In this case, just kill the java processes using task manager or PowerShell.
To analyze .Net based projects you are required to install a Scanner for MSBuild. You can find all the details here: Analyzing with SonarQube Scanner for MSBuild.
The C# plugin addin which is included by default might be outdated. Therefore, I suggest installing the latest version. You can find more information and a download link right here: C# Plugin
SonarLint for Visual Studio
SonarLint is a Visual Studio 2015 extension that provides on-the-fly feedback to developers on new bugs and quality for your .Net code. I highly recommend reading up on the details found on http://www.sonarlint.org/visualstudio/. Just keep in mind that using SonarLint will require a full installation of SonarQube.
Microsoft ALM – The link below redirects you to the latest information regarding the collaborative effort between SonarSource and Microsoft (MSBuild & VSTS/TFS integration).
Beyond the Basics of SonarQube – One of the best in-depth talks I’ve seen so far! Don’t let the title mislead you. The content is very accessible and easy to grasp.
Understand and Prevent Technical Debt – If you still aren’t convinced that using a static code analysis tool is a good idea, then I would definitely recommend watching the following session from start to finish. The video covers why projects have technical debt and how to deal with it. A deep dive into SonarQube starts at 24:15. The talks finishes with some interesting TFS/.Net integration scenarios (41:40).
Quickstart: Analyzing .NET projects with SonarQube -The following blogpost covers the usage of SonarQube in conjunction with .Net based projects in great detail. However, it might be a bit daunting for beginners. Regardless of this, I still recommend glancing over its content. Doing so will give you a better idea on how SonarQube can be integrated within your existing processes.
Manage your technical debt with TFS – The following Channel 9 Video shows what a typical Visual Studio and TFS integration looks like. You can skip the first three minutes without missing out on anything important. The interesting part for me was seeing how you can manage technical debt by creating a baseline.
Note: This is an introduction to MVA course: Enabling DevOps Practices with Visual Studio Team Services Build