Imagine a chef baking a cake with the finest ingredients in the world. At several instances during the baking process they would like to check for consistency, color, taste, etc. to make sure the cake when served will be perfect.
As a development team is building software they would like to know if they are not introducing any bugs, unreliability or untested code that will make their delivered software unmaintainable, full of security vulnerabilities and sloppy. Enter Sonarqube!
Sonarqube is a free and open source “code quality platform”. It gives you a moment-in-time snapshot of your code quality and test coverage today, as well as trending of lagging (what’s already gone wrong) and leading (what’s like to go wrong in the future) quality indicators.
From a developer’s perspective, SonarQube helps you from language-specific subtleties to thread safety and resource management, SonarQube can show you what you’re getting wrong—or doing sub-optimally—and point you in the right direction for fixing it.
From a software architect’s standpoint, SonarQube is worth the time because it helps you keep an eye on whether your cleanly delineated initial design is being degraded over time with creeping dependency cycles. It can show you whether the internal coding rules are being followed, and it can help you spot rising complexity that needs to be refactored.
From a tester’s standpoint, SonarQube is worth attention because it will help you pinpoint the spots where automated testing is thin or nonexistent. It may also help target manual penetration and security testing.
Finally, from a management standpoint, SonarQube is worth the investment because it gives you metrics
How does it work?
Start by creating a profile or copying it
2. you can start by creating a profile from scratch
The rules that can be configured are presented in a search/search result interface.
How can SonarQube get your numbers?
Usually the above flow is how your continuous integration build pipeline works. Your continuous integration (CI) tool builds multiple times a day.
Once CI is setup its time for you to add SonarQube to the mix. The CI Job runs the analysis and publishes to SonarQube. Developers check in code, the build job builds and analyzes the code. Immediately the team can see how their code is performing in terms of code quality and test coverage in SonarQube
What are the numbers telling you?
SonarQube’s default dashboard
Metrics to pay attention to:
1. Size: Shows how many lines of code, methods, classes and packages were found during analysis
2. Events: Provides a quick list of events recorded for the project. This includes the project version string that you pass to the analysis. Events flag the analysis snapshot for long term retention and comparison.
3. Description: Shows basic data about your project and its last analysis
4. Seven axes of quality: Shows code analysis details
a. Potential bugs and complexity:
c. Comments and duplications:
d. Architecture and design:
How does At a glance amplify the effect of these numbers?
At a glance Jira Cloud Plugin, brings metrics from Jira (project management tool) , Bitbucket (SCM), Bitbucket pipelines (CI tool) and SonarQube in one dashboard.
At a glance dashboard make it possible for teams can see the impact of their code changes in all the different tools in a single glance to inspect and adapt their work.
At a glance is available as a plugin for Jira Cloud and can be downloaded from https://marketplace.atlassian.com/apps/1217549/at-a-glance-devops-dashboard-for-jira?hosting=cloud&tab=overview
At a glance can be downloaded from the Atlassian Marketplace at https://marketplace.atlassian.com/apps/1217549/at-a-glance-devops-dashboard-for-jira?hosting=cloud&tab=overview
- SonarQube in Action by G. Ann Campbell and Patroklos P. Papaetrou