Tuesday, November 30, 2021

Fix Issues in Your Code Before Going to Production in Minutes with SonarQube

Carlos Rodríguez and Raquel Campuzano co-wrote this blog post

SonarQube is an open-source code analyser designed for analysing and measuring the technical quality of code. This is particularly useful to avoid the need of fixing issues when your applications are already running in production environments. With SonarQube you can keep your code clean and prevent future vulnerabilities from the earliest stages of development to production.  

It combines static and dynamic analysis tools to monitor the following: 

  • Duplicated code 
  • Compliance with coding standards 
  • Unit tests 
  • Complex code 
  • Potential bugs 
  • Comments and design 
  • Code architecture 

SonarQube is used for major programming languages such as C/C++, JavaScript, Java, C#, PHP, or Python, amongst others. Often, applications use several programming languages simultaneously, for example, a combination of Java, JavaScript, and HTML. SonarQube automatically detects these languages and invokes the corresponding analyzers. 

Sonarqube was available in the Bitnami Application Catalog for its local deployment or in the cloud, and now, you can also deploy it on your Kubernetes cluster as a Helm chart.  

Keep reading to learn how to install it in your cluster to start analysing your code in minutes.  

How to Install the SonarQube Helm chart in your Kubernetes Cluster 

Having SonarQube running in your cluster is as easy as executing a couple of commands.  

First, install the Bitnami Helm charts repository by executing the following: 

helm repo add bitnami https://charts.bitnami.com/bitnami 

Once the repo is installed in your chart, run the command below to finish the installation of the SonarQube Helm chart:   

helm install my-release bitnami/sonarqube 

Remember that “my-release” is a placeholder, you can replace it with an identifiable name for your release.  

Once the deployment completes, refer to the output to obtain the SonarQube URL and credentials.  

To start using SonarQube, execute the corresponding command to get the URL. Then, open a browser and enter the IP address you have obtained. You will see the login screen: 

Enter the username “user” and the password obtained by running the command shown in the deployment notes. 

That’s all! Now you can start analysing your code! In the following sections, you will find a sample JavaScript code and some examples of how to use SonarQube to detect bugs, vulnerabilities, and errors in your code and how to clean up your code to make it safe for production environments.  

Playing with SonarQube  

In this GitHub project, you’ll find an example of code written in JavaScript. The goal: to show you how to incorporate SonarQube into your development workflow. The repository contains two main folders (sources and tests) so, in this way, you can know the percentage of our code that is being covered by the tests. 

This project also includes a sonar-project.properties file where there are some configuration parameters needed to configure SonarQube like username, password, language, etc. 

First, run the scanner inside the project folder, that way the first scanner is launched and you can check the results in the web interface. 

sonar-scanner 


As you can see in the above screenshot, the current code has zero bugs, zero vulnerabilities and six code "smells". 

Modify the source code in order to introduce one bug and one vulnerability. This time it is intentional, but in daily work problems like this can arise without you realizing. 

Run the scanner again:

sonar-scanner 

As expected, a new bug and vulnerability appear. Check the analysis again to see the changes we made: 


A new section appears on the right-hand side of the screen (highlighted in yellow). SonarQube handles two states: the current state (in white) and the latest changes. 

As you can see in the screenshot, the changes introduced in the last scan have added one bug and one vulnerability. SonarQube evaluates the quality of each section with a score based on different parameters, A being the best state. In this case, introducing the bug has caused the “Bugs” section to pass from A to C and the “Vulnerabilities” section from A to B. 

You can set the “Leak Period” to determine how you want to make the comparison: by time or between each scanner execution. 

Let’s see in detail the "Coverage" section: 38.1% is the global test coverage (as you can see in the GitHub repository, I have tests for some files, but not for all of them). In the yellow section, you can see the coverage for the newly added lines. Previously, we introduced some new lines in order to add errors but we didn’t create any test for these new lines, so the new test coverage is 0%. Also, by clicking on Coverage, you can see more information about the coverage, for example, coverage by file, number of covered lines, etc. 


With this quick and simple analysis (you only have to execute one command) you will be able to prevent errors like these arising in production environments, keeping the code safe and complying with best practice and quality standards. In the following iterations we will work towards the goal of zero bugs, vulnerabilities, and code "smells". We might also work on getting 100% of our code covered by the tests. 

Once we have my code in this state, it is very simple to see if the changes made have introduced some kind of error or bad practice. 

How to squeeze SonarQube 

As you saw in the previous section, it is quite simple to keep your code in good health. But, there is more to discover. SonarQube has a lot of cool integrations. 

Analysis Methods

You can choose between the following analysis methods: 
  • SonarQube scanner for MSBuild: Launch analysis of .Net projects 
  • SonarQube scanner for Maven: Launch analysis from Maven with minimal configuration 
  • SonarQube scanner for Gradle: Launch Gradle analysis 
  • SonarQube scanner for Ant: Launch analysis from Ant 
  • SonarQube scanner for Jenkins: Launch analysis from Jenkins 
  • SonarQube scanner: Launch analysis from the command line when none of the other analyzers is appropriate 

Plugins

In addition, SonarQube has an Update Center with a variety of plugins organized into different categories, some useful plugins are: 
  • Code Analyzers 
    • SonarCFamily C/C++ 
    • SonarPHP 
    • SonarJS 
    • SonarWeb 
    • SonarJava 
    • CSS 
  • Integration
    • GitHub Plugin: Analyzes pull requests, and points out the issues as comments.
    • Google Analytics: Adds the Google Analytics tracking script to the SonarQube web application.
    • SCM Engines 
    • Mercurial: Adds support for Mercurial. 
    • Git: Adds support for Git. 
    • SVN: Adds support for Subversion. 
  • Authentication & Authorization
    • GitHub Authentication: Enables user authentication and Single Sign-On via GitHub. 
    • GitLab Authentication: Enables user authentication and Single Sign-On via GitLab. 
    • Google Authentication: Enabled delegation of user authentication to Google. 
Happy (and safe) coding!