Development is not an easy job. It requires a lot of concentration. When it comes to writing a new piece of code, we are all beginners. Only change is that some of us have prior experience of writing code successfully so that those have some confidence in writing the code.
There are a lot of common developer errors. We cannot expect everyone to write perfect code. The idea is to reduce the coding errors gradually by making it a habit to avoid mistakes. Also you can be very familiar with coding patterns after some time such that even without running the code, you'll see the issues in the code.
Hence it is better to start using an analysis tool than to later spend more time fixing complicated issues.
Telzee.io development team started looking into code analysis tools and experimented with SonarQube before making it a permanent tool in our development process.
SonarQube is an open source tool for static code analysis which has become very popular recently. It is very easy to keep the code clean, simple and precise with SonarQube using the set of tools that it provides.
Static code analysis is the method of analysing code without executing it. Static code analysis tools do not need the application code to be run. Hence they will not point out runtime issues within the code.
SonarQube can be integrated into any deployment process in multiple ways.
This is how to set up your SonarQube service on an AWS Ec2 instance. We use SonarQube on a common instance across the development team at Telzee.io so every team member can see the code quality details.
1. First start an EC2 instance on AWS. (In this case we will proceed with a t2.medium instance with Ubuntu 20 running in it.)
2. Update the Ubuntu packages.
sudo apt-get update
sudo apt-get -y upgrade
3. Install PostgreSQL in the instance and start the service. This PostgreSQL service will be used by the SonarQube service to record internal data.
Update the Ubuntu repositories.
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'
wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -
Update PostgreSQL services.
sudo apt-get -y install postgresql postgresql-contrib
4. We have to create a user and assign ownership of the previously created database to that user.
First change the password for the default PostgreSQL user and switch to that user.
sudo passwd postgres
su - postgres
We have to create a new user for SonarQube.
createuser sonar
Switch to the PostgreSQL console. We have to set a password to the newly created 'sonar' user and assign a database for that user to use.
psql
ALTER USER sonar WITH ENCRYPTED password 'passsword';
CREATE DATABASE sonar OWNER sonar;
Exit from the PostgreSQL shell
\q
Switch back to the default 'sudo' user by exiting the current 'sonar' user.
exit
5. Download and configure the SonarQube as a service.
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.5.tar.gz
sudo unzip sonarqube-9.5.zip -d /opt
sudo mv /opt/sonarqube-9.5 /opt/sonarqube
Assign administrator permissions to the SonarQube directory.
sudo chown -R administrator:administrator /opt/sonarqube/
We have to edit the /opt/sonarqube/conf/sonar.properties file and change multiple lines to make this work.
Edit following lines to allow SonarQube to connect to the PostgreSQL service.
sonar.jdbc.username=sonar
sonar.jdbc.password=password
Uncomment the following line.
sonar.jdbc.url=jdbc:postgresql://localhost/sonar
We have to tell SonarQube to run in the server mode.
sonar.web.javaAdditionalOpts=-server
Now you can start the SonarQube service by running the /opt/sonarqube/bin/linux-x86-64/sonar.sh script. We'll set this script as a service in the next steps.
bash /opt/sonarqube/bin/linux-x86-64/sonar.sh
6. We'll set SonarQube as a service now. SonarQube can be started directly using the startup script by editing the /etc/systemd/system/sonar.service file. We need to change its contents to the following.
[Unit]
Description=SonarQube service
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
User=root
Group=root
Restart=always
[Install]
WantedBy=multi-user.target
Start the SonarQube with the changes.
sudo systemctl start sonar
Enable SonarQube to be started at the system boot time.
sudo systemctl enable sonar
You will have access to this service in the local environment. We can make the service available to the incoming traffic of the instance. For this we'll make use of Nginx.
7. Install Nginx to route the incoming traffic to the SonarQube service.
Edit the Nginx configuration file, /etc/nginx/sites-enabled/sonarqube to configure traffic. (Assume that our SonarQube service runs on port 9000 and we need to open port 9090 for SonarQube.)
server{
listen 9090;
server_name sonarqube.developerinsider.co;
access_log /var/log/nginx/sonar.access.log;
error_log /var/log/nginx/sonar.error.log;
proxy_buffers 16 64k;
proxy_buffer_size 128k;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http; }}
Nginx service restart will apply the changes.
sudo service nginx restart
You will be able to use SonarQube on http://domain:9090 now.
Gitlab Integration
We can let our Gitlab project know if we want to use SonarQube code analysis. We need to define a new pipeline in our project's gitlab-ci.yml.
sonarqube-check:
stage: analyze
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths: - .sonar/cache script: - sonar-scanner
allow_failure: true
only: - dev_branch
Above configuration will run SonarQube scan every time new changes are pushed to the dev_branch of the project. We can also configure this pipeline to run only when tags are created, periodically, etc.
Go into the SonarQube dashboard and see what failed. It will indicate to you multiple things.
As the development team of Telzee.io started using this we were able to mitigate most of the common code smells and avoid them. There are multiple benefits of a code quality analysis tool for a company.
Maintaining code quality is a crucial segment of software development. Adding a code quality analysis tool into the development process is a proven way of efficiently analysing the code quality in a project. Being open source and simple to use, SonarQube is the one of the best solutions that a team can utilise.