SonarQube installation and deployment and integration with jenkins
In the previous projects I participated in, I used sonarqube as a code quality analysis tool, and in the project acceptance stage, I could export the corresponding code quality analysis report according to the customer's needs. Based on this background, I studied various online materials, sorted them out, and built them in practice. Sonarqube, combined with the jenkins automatic construction tool, fully realizes the automatic construction of a springboot project and the process of code analysis, which is recorded here for subsequent in-depth study and use and to provide reference for latecomers. There are inevitably omissions in the article, and readers are expected to give Corrections are greatly appreciated!
1. Basic introduction
SonarQube is an open source tool for code quality management. It is a static code inspection tool. It adopts B/S architecture. It is mainly used to manage the quality of source code and can support many computer languages, such as php, java, C#, go, C /C++, Cobol, JavaScript, Groovy, etc. Sonar can detect your code through PMD, CheckStyle, Findbugs and other code rule detection tools to help you find code loopholes, bugs, odors and other information.
Sonar is a static code quality analysis tool that supports more than 25 languages such as Java, Python, PHP, JavaScript, CSS, etc., and can be integrated in services such as IDE, Jenkins, Git, etc., so that you can view code quality analysis reports at any time;
SonarQube is an open source code analysis platform used to continuously analyze and evaluate the quality of project source code. Through SonarQube, we can detect duplicate code, potential bugs, code specifications, security vulnerabilities and other issues in the project, and display them through the SonarQube web UI.
Sonarqube features
1. Easy to install and start out of the box
2. Easy to configure - all configurations can be realized through the provided web interface
3. Can be perfectly integrated with CI systems, such as jenkins
4. Rich scanning rules, support for customization, and Can integrate findbugs, pmd, checkstyle and other plug-ins
5. Rich format support, can scan java\js\xml\jsp and other formats 6.
Rich statistical functions
7. Support workflows such as processing and distribution of violations
8. Can analyze Violations are confirmed, and falsely reported violations will not be counted after one confirmation.
9. Support maven\ant\command line scanning
2. Architecture principle
The SonarQube framework consists of the following four parts:
Project
SonarQube Scanner
SonarQube Server
SonarQube Database
1) Project
is the source code that needs to be analyzed, such as our java project source code.
2) SonarQube Scanner
is a tool for performing code analysis. It is executed in the root directory of the Project. We also need to configure SonarQube under the Project, which specifies the relevant information of the project and the address of the SonarQube Server. SonarQube Scanner analyzes After completion, the result will be reported to the Server.
3) SonarQube Server
displays the Web Server of the analysis results. After SonarQube Scanner reports the analysis results of a project to SonarQube Server for the first time, a project will be automatically created on the Server to display the analysis results, and code quality management can be set on the Server. Various configurations, such as setting code inspection rules (Rule) and quality threshold (Quality Gate), etc.
4) SonarQube
Database
3. Code analysis process
—”1) Development tool sonarlint real-time analysis—
”2) Code upload warehouse git, svn, etc
.—”3) Continuous integration service jenkins uses sonarqube scanners for code analysis—
”4) Code analysis report is sent to sonarqube server
—”5) sonarqube The server stores the analysis results in the sonarqube database—
"6) The UI of the sonarqube server interface displays code problems, and the developers manage and deal with them—
"7) The sonarqube server provides code analysis reports
4. Installation configuration
4.1 Installation equipment
1) Install and configure jdk environment, currently use jdk8 version
2) Install mysql database, currently use mysql5.7 version
3) Install SonarQube7.0 version, the higher version only supports jdk11 and above, so downgrade version 7.0 to install
https://binaries.sonarsource .com/Distribution/sonarqube/sonarqube-7.0.zip
4) The installation environment uses the local windows environment (I have limited computer resources, so choose windows installation temporarily)
4.2 Installation steps
1) After downloading sonarqube, unzip and open the bin directory, and start StartSonar under the corresponding OS directory. If the 64-bit system of win is used in this article, open D:\sonarqube-7.0\bin\windows-x86-64\StartSonar.bat
2) Start the browser and visit http://localhost:9000. If the following figure appears, the installation is successful.
3) Adjust the configuration
(1) Configure the database
Mysql to create a new database sonar
(2) Modify the configuration file
conf/sonar.properties
sonar.jdbc.url=jdbc:mysql://192.168.109.13306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance
sonar.jdbc.username=root
sonar.jdbc.password=123456
sonar.sorceEncoding=UTF-8
sonar.login=admin
sonar.password=admin
url is the database connection address,
username is the database user name,
jdbc.password is the database password,
login is the login name of sonarqube,
sonar.password is the password of sonarqube
restart the sonarqube service, visit http://localhost:9000 again, it will be a little bit Slow, because the database information needs to be initialized
Log in interface after login
5.3 Install the Chinese plug-in
(1) How to install the Chinese pack plug-in
Follow the steps below and
restart after the plug-in is installed successfully
(2) Download the Chinese jar package method
When the Chinese plug-in is not compatible with the currently installed SonarQube version,
you can check and download
the jar packages corresponding to different versions of the Chinese package according to https://github.com/xuhuisheng/sonar-l10n-zh, put Go to the sonarqube/extensions/plugins directory and restart SonarQube
5.4 Install the pdf report plugin
Refer to the previous section to install the pdf plugin,
https://gitee.com/penny_pn/sonar-pdf-plugin
and configure username and password as sonarqube username and password
5. Jenkins configuration sonarqube-scanner
5.1 Install the sonarqube-scanner plugin
5.2 sonarqube generates token
sonarqube my account, security, generate token
5.3 Jenkins configuration sonarqube servers and sonarqube scanner
The jenkins system configures sonarqube servers, select secret text for the content of credentials and fill in the token generated by sonarqube in the secret
5.4 Project build process configuration execution sonarqube-scanner
The jenkins build step increases the execution of sonarqube-scanner
Most importantly, configure SonarQube analysis properties
# must be unique in a given SonarQube instance
sonar.projectKey=test-01
# this is the name displayed in the SonarQube UI
sonar.projectName= test-01
sonar.language=java
sonar.projectVersion=1.0
sonar.sourceEncoding=UTF-8
#jenkins环境下workspace就是工作目录,默认为~/.jenkins目录下,一般就是Down下来的源代码目录
#sonar.sources包含主源文件的目录路径,使用逗号分隔。
#从Maven、Gradle、MSBuild 项目的生成系统读取。当未提供时,将默认为项目基目录。
sonar.sources=$WORKSPACE
sonar.java.binaries=$WORKSPACE
Among them, the properties of sonar.sources and sonar.java.binaries are very important
5.5 Executing the project build
After the jenkins configuration is complete, build the project. After the build is successful, you can view the analysis of the project code by sonarqube
6. Code quality analysis and analysis report download
Project overview, problems, indicators, etc. View analysis problem details
Download analysis report
7. References
https://www.sonarqube.org/
https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-maven/
https://www.cnblogs.com/qiaoyeye/p/5249786.html
https://blog.csdn.net/qq_41631176/article/details/84952820