5 Steps to Integrate Maven with SonarQube for Effective Quality Assurance
Overview
It has been statistically proven that, as software developers, we spend 80% of our time reading code and only 20% of our time writing it. So it's important that during that 20% of our time, we write code that will make our lives easier during the 80% of the time we have to maintain it. So you'll be hearing more and more about clean code.
The term clean code can have several definitions depending on the author, but the one that comes up most often is the following: Clean Code is code that's easy to read, maintain, understand and change through structure and consistency yet remains robust and secure to withstand performance demands.
So you guessed it, in this article, we will be talking about Clean Code. We'll be looking at one of the most popular tools on the market on the subject, SonarQube. We'll look at integrating SonarQube into a Maven project to generate code quality metrics. Ready to explore further? Let's get started!
Version Check
This tutorial has been tested with the following tools :
- Java 8
- Maven 3.8.6
- SonarQube Community 10.1.0.73491
Step 1: Create a Maven Project
We're not going to create a whole new project. Instead, we'll use the project from a previous article on Jacoco. You can find the full code for that article on GitHub.
Step 2: Set up SonarQube server locally
This tutorial assumes that you already have a local installation of SonarQube. If this is not the case, please follow this guide.
Step 3: Configure your project in SonarQube
Once you have a SonarQube instance up and running, connect to it to configure your project.
The SonarQube dashboard will look like this:
Click on "Create a project" in the top right-hand corner, then select "Manually" in the following window as follows:
Fill in the next screen as follows and click "next":
.
In the next screen, select "Use the global setting" and then "Create project" :
.
Next, you'll have to specify how you want to analyze your repository. Different options are possible: Local, Jenkins, GitHub Actions, etc. For this demo project, we will analyze a local repository. So select "Locally".
In the next screen, you'll generate a token to analyze your project. You can adjust the validity of your token as you wish. Click "generate" once you're done.
.
Once the token is generated, you can save it in a safe location and click "Continue".
.
The final step is to select your build tool, i.e. Maven. Then copy the scanner command to be executed in your project directory.
Step 4: Run the Sonar Scanner in your project
Open a terminal and navigate to the root directory of your project. Then execute the scanner command as shown below :
After a few seconds, depending on your project size, you'll have an output like this :
Step 5: View your project report in SonarQube
Moving back to your Sonar Dashboard, you'll see the analysis report.
.
This screen gives you an overview of the quality of your code. The metrics are grouped into several categories: Reliability, Security, Security review, Coverage, Maintainability, and Duplications. In the next article, we'll take a look at each of these categories and see how to correct some of the vulnerabilities.
Conclusion
In this article, we look at integrating SonarQube into a Maven project to perform static code analysis. If you would like to use the SonarQube tool in more depth, please consult the official documentation.
In a future article, we'll look at how to automatically launch a Sonar analysis from a continuous integration pipeline, using a tool like Jenkins.
Did you find this blog post useful? Feel free to drop a thumbs up or comment.
Happy Coding! And more importantly, Clean as You Code!
Originally Published at nkamphoa.com
