Introduction
SonarQube is an open source tool for code quality management and is a static code inspection< /span> tool, using B/S architecture, it is mainly used to manage the quality of source code, and can support many computer languages, such as php, java, C#, go, C/C++, Cobol, JavaScrip, Groovy, etc. . sonar can detect your code through code rule detection tools such as PMD, CheckStyle, Findbugs, etc., and help you discover code vulnerabilities, bugs, odors and other information.
Code quality can be detected from seven dimensions:
1) Complexity distribution (complexity): code that is too complex will be difficult to understand
2) Duplications: The program contains a large amount of copied and pasted code, resulting in bloated code. Sonar can display serious duplications in the source code.
3) Unit test statistics (unit tests): Statistics and display unit test coverage, development or testing can clearly understand the coverage of test code
4) Coding rules: Check whether the code complies with specifications through Findbugs, PMD, CheckStyle, etc.
5) Comment rate (comments): If there are too few code comments, especially after personnel changes, it will be more difficult for others to take over; if there are too many, it will be difficult to read.
6) Potential bugs: Detect potential bugs through Findbugs, PMD, CheckStyle, etc.
7) Architecture & design: Find loops, show dependencies between packages and classes, and check the coupling between programs
Architecture
The SonarQube platform consists of 4 components:
1) A SonarQube server starts 3 main processes:
-
Web server for developers, administrators Browse quality snapshots and configure SonarQube instances
-
Elasticsearch-based Search Server supports searching from the UI
-
Compute Engine Server is responsible for processing code analysis reports and saving them in the SonarQube database
2) A SonarQube database for storage:
- Configuration of the SonarQube instance (security, plugin settings, etc.)
- Quality snapshots of projects, views, etc.
3) Multiple SonarQube plug-ins are installed on the server, including language, SCM, integration, authentication, etc.
4) Run one or more SonarScanners on your build/continuous integration server to analyze the project
Integration
1) Developerscode in their IDE and run local analysis using SonarLint.
2) Developers push code to code management repositories such as Git
3) Through continuous integration servers such as Jenkens, and use sonar-scanner for code analysis
4) The analysis report is sent to the SonarQube server for processing.
5) SonarQube Server processes and stores the analysis report results in the SonarQube database, and displays the results in the UI.
6) Developers review, comment, and challenge their issues through the SonarQube UI to manage and reduce their technical debt.
7) Use API to automate configuration and extract data from SonarQube.
Install sonar
The version installed in this article is SonarQube 7.6. The current highest version (July 27, 2021 10:29:21) SonarQube 9.0. On April 10, 2019, SonarQube issued an article saying that after 7.9, all SonarQube versions will stop Support for MySQL.
2)java 1.8
3)Mysql 5.6
CentOs6.9 installation can refer to Blog
After installation, you can open the URL:
Install sonar-scanner
This article uses Sonar-scanner for code analysis
-
Depending on the environment Download, this article takes the Linux system as an example
-
Upload the sonar-scanner-cli-4.6.2.2472-linux.zip file to the virtual machine or server
-
unzip
`unzip sonar-scanner-cli-4.6.2.2472-linux.zip` -
Add sonar-scanner-4.6.2.2472-linux/bin to environment variables
vim /etc/profile#配置 sonar-scanner SONAR_RUNNER_HOME=/opt/sonar-scanner-4.6.2.2472-linux PATH=$SONAR_RUNNER_HOME/bin:$PATH export SONAR_RUNNER_HOME export PATHsource /etc/profilesonar-scanner -hCheck whether the addition is successfulINFO: INFO: usage: sonar-scanner [options] INFO: INFO: Options: INFO: -D,--define <arg> Define property INFO: -h,--help Display help information INFO: -v,--version Display version information INFO: -X,--debug Produce execution debug output
-
Modify sonar-scanner configuration file
sonar-scanner-4.6.2.2472-linux/conf-
vim sonar-scanner.properties#Configure here general information about the environment, such as SonarQube server connection details for example #No information about specific project should appear here #----- Default SonarQube server sonar.host.url=http://127.0.0.1:10005 #----- Default source code encoding #sonar.sourceEncoding=UTF-8 sonar.jdbc.url=jdbc:mysql://127.0.0.1:3307/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance&useSSL=false #数据库账号 sonar.jdbc.username=sonar #数据库密码 sonar.jdbc.password=sonar sonar.sorceEncoding=UTF-8This configuration file is general information about the environment, such as SonarQube server connection details. Information about specific projects should not be configured here
-
instrumentation code
SonarQube Create project
- Open the SonarQube Web page to create a project
This article uses PHP for analysis
Analyze code using Sonar-scanner
-
Enter the code project path that needs to be analyzed
-
touch sonar-project.propertiesCreate a file in the project path, -
vim sonar-project.properties# must be unique in a given SonarQube instance sonar.projectKey=test # --- optional properties --- # defaults to project key sonar.projectName=test # defaults to 'not provided' sonar.projectVersion=1.0 # Path is relative to the sonar-project.properties file. Defaults to . # 多个路径可以使用逗号隔开 sonar.sources=./app,./config # Encoding of the source code. Default is default system encoding sonar.sourceEncoding=UTF-8 #这个具体作用目前不太清除,官网也没写 sonar.java.binaries=. # SonarQube 创建项目生成的令牌 sonar.login=6c8148e18e76fbc96e73354key describe sonar.projectKey The unique key of the project. Allowed characters are: letters, numbers - , _ , . and : , with at least one non-numeric character. sonar.sources File directories that need to be code analyzed. Use commas to separate multiple files. sonar.projectName The project name that will be displayed on the web interface. sonar.projectVersion Project version sonar.login A login or authentication token for a SonarQube user with permission to perform analysis on the project sonar.password The password to use with the sonar.login username. If an authentication token is being used, it should be left blank sonar.projectDescription project instruction sonar.sourceEncoding The encoding of the source file. For example: UTF-8 Please refer to the official documentation for updated parameters
-
Execute in the directory at the same level as the sonar-project.properties file
sonar-scanner
-
View the SonarQube Web page, you can see that the test project has a
后台任务being executed. At this time, Sonar-scanner submits the data to the SonarQube server, and the SonarQube server analyzes the data
-
After the background task is executed, you can view the code analysis results
SonarQube is easy to use
User Management
-
Create group
- Configuration > Permissions > Groups > upper right corner
- Configuration > Permissions > Groups > upper right corner
-
Create user
- Configuration > Permissions > Users > upper right corner
- Configuration > Permissions > Users > upper right corner
-
Add user to PHP group
-
Configure the PHP group's permissions on the test project
- Project -> test Project -> Configuration -> Permissions
The permissions page can set the current project to be a公开live私有project
which can be assigned to six specific PHP groups Permissions
- Project -> test Project -> Configuration -> Permissions
-
Specific permission classification
- Browse: Visit a project, browse its metrics, create/edit its issues.
- View source code: View the source code of the project. (User also needs "Browse" permission)
- Issue Manager: Make additional edits to issues: set false positive/will not be fixed, modify issue severity level. (User also needs "Browse" permission)
- Manage security hotspots: Detect vulnerabilities through "security hotspots". Reject, clean, accept, reopen "Safe Hotspot" (users also need "Browse" permission)
- Administrator: View project configuration and perform management tasks. (User also needs "Browse" permission)
- Execute analysis: You can obtain all configurations for performing analysis (including security configurations, such as passwords), and push the analysis results to the SonarQube server.
quality configuration
A quality configuration is a set of rules used during analysis. Each language has a default configuration. Projects that do not specify other configurations will use the default configuration.
There are three quality configurations for PHP after installation Drupal, PSR-2, Sonar way
where Sonar way is the quality configuration used by the system by default. You can see that there are 111 rules.
Custom quality configuration
If the system default cannot meet the existing conditions, click the 创建 button in the upper right corner
You can create a new configuration based on an existing quality configuration, or create an empty configuration.
- New configurations can assign permissions to groups or individuals
- You can assign the current configuration to a specific project and use this configuration for code detection
- Add more rules
In addition, there are some other basic configurations
quality threshold
The quality threshold is equivalent to a code detection threshold. If a code problem exceeds the threshold, a prompt will appear or an email notification will be sent.
Default quality threshold Sonar Way, if a project does not specify a quality threshold, this quality threshold will be used by default.
Different quality thresholds can be created based on different projects
- Add different indicators based on specific requirements
- Select applicable items
You can see bugs that the threshold value is set to 10, and the code detects 92. At this time, the project status is 错误级别 (no exceeding the threshold is a>正常)
E-mail notification
SonarQube can be set to remind you by email when some events occur.
Enable email SMTP service
Start the service in QQ mailbox
- Enable IMAP/SMTP service
- Generate authorization code
SonarQube mailbox configuration
You can use an account with permission to modify configurations or an administrator account to configure email information.
SonarQube email notification configuration
You can select the notifications you want to turn on at 我的账号 -> 提醒
When new questions are assigned, email reminders will be sent
You can see a problematic connection under the email. The jump prefix domain name can be configured in 配置
Send email after configuration
branch scan
SonarQube Community version does not support multi-branch scanning, so you can use github's sonarqube-community-branch-plugin plug-in
Select plugin version based on SonarQube version
-
Download the appropriate jar package and place it in the directory where you installed SonarQube
sonarqube/extensions/plugins -
Restart the SonarQube Service service
-
Switch the branch you need to analyze and modify the sonar-project.properties file under the scanned project
sonar.projectKey=test # --- optional properties --- # defaults to project key sonar.projectName=test # defaults to 'not provided' sonar.projectVersion=1.0 # Path is relative to the sonar-project.properties file. Defaults to . sonar.sources=./app,./config # Encoding of the source code. Default is default system encoding sonar.sourceEncoding=UTF-8 #这个具体作用目前不太清除,官网也没写 sonar.java.binaries=. # SonarQube 创建项目生成的令牌 sonar.login=7eee3f6b73b5cab929c30f5bca7bc0a8bf84ec25 # 项目所处分支(一般和 jenkins 结合,通过变量动态修改分支名) sonar.branch.name=release-1 -
sonar-scannerRescan -
You can see the new branch information on the
SonarQube Webpage
multiple branches
The branches of SonarQube can be divided into
- Main branch: usually master
- Short-term branch: Compared with the long-term branch, the problem of short-term branch is
增量data - Long-term branches: long-term maintenance branches, such as release and develop branches, problem data
单独storage
If the main branch is not master, you can modify the name of the main branch.
You can also modify the branch matching rules of 长期分支
Jenkins uses SonarQube
Install Jenkins on Baidu by yourself
Anso SonarQube Scanner Report
Manage Jenkins -> Manage Plugins -> Sonarqube Scanner
Restart Jenkins after installation
Configuration SonarQube servers
Manage Jenkins -> Configure System -> SonarQube servers
Fill in your SonarQube web address and create a 凭证
Credentials added
-
SonarQube Web generates a token using the administrator account
我的账户 -> 安全
-
Add credentials in Jenkins
Configuration SonarQube Scanner
Manage Jenkins -> Global Tool Configuration -> SonarQube Scanner
Create a Jenkins project
-
Create a new Item
Choose a freestyle type to create -
Create build information
sonar.projectKey=${JOB_BASE_NAME} sonar.projectName=${JOB_BASE_NAME} sonar.projectVersion=1.0 sonar.sources=./app sonar.sourceEncoding=UTF-8 sonar.java.binaries=. sonar.branch.name=${Branch}
Delete the workspace after building. This case only performs code detection without subsequent operations, so you can choose to delete the workspace.
Run the project
If it is the first time to run, be sure to select the master branch, otherwise it will fail, because the default first branch of SonarQube Web is master
reference
www.cnblogs.com/ycyzharry/p/116890...
www.cnblogs.com/wangxu01/articles/...
Reprinted from:SonarQube installation and use | Server operation and maintenance forum