Use SonarQube for Code Inspection

·

1 min read

SonarQube is a great code inspection tool for code quality and code security. It provides Docker image for easy setup of the server, and Maven plugin for code inspection.

Install and Setup SonarQube

  1. Install SonarQube from Docker image.

     docker run -d --name sonarqube \
     -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true \
     -p 9000:9000 sonarqube:latest
    
    • To restart:
    docker restart sonarqube
  1. Once the instance is up and running, log in to localhost:9000 using System Administrator credentials:

     login: admin
     password: admin
    
    • Change password for first time login as requested.
  2. Generate a token.

    i. From the menu at top right corner, click "My Account".

    SonarQube-MyAccount.png

    ii. Select the "Security" tab.

    SonarQube-GenerateToken.png

    iii. In the "Tokens" section, enter Token Name and click the "Generate" button.

    SonarQube-TokenGenerated.png

Run code inspection using Maven plugin

  1. Add Maven plugin in pom.xml.

     <build>
         <pluginManagement>
             <plugins>
                 <plugin>
                     <groupId>org.sonarsource.scanner.maven</groupId>
                     <artifactId>sonar-maven-plugin</artifactId>
                     <version>3.9.1.2184</version>
                 </plugin>
             </plugins>
         </pluginManagement>
     </build>
    
  2. Run analysis using the following command:

     export PROJECT_KEY=hello-world
     export SONAR_URL=http://localhost:9000
     export SONAR_TOKEN=74747088e1eb4cb74efd2495f351b5125214b74e
    
     mvn clean verify sonar:sonar \
         -Dsonar.projectKey=$PROJECT_KEY \
         -Dsonar.host.url=$SONAR_URL \
         -Dsonar.login=$SONAR_TOKEN
    
  3. Check the result via the admin console.

    SonarQubeResults.png