Code quality checking using SonarQube. Easy Installation and integration with Jenkins.

Introduction

In the ever-evolving world of software development, delivering high-quality, secure code is paramount. With the increasing complexity of applications and the constant threat of security breaches, developers need powerful tools to help them maintain code integrity and reduce vulnerabilities. Enter SonarQube — a versatile and indispensable platform that plays a pivotal role in ensuring the success of software projects. In this blog, we’ll explore the significance of SonarQube in software development and how it contributes to code quality, security, and overall project success. We’ll also walk through the installation of SonarQube and its seamless integration with Jenkins to automate code quality analysis.

Understanding SonarQube

SonarQube is an open-source platform designed to analyze and evaluate the quality of source code. It does this by scanning codebases for issues, vulnerabilities, and code smells that can compromise the stability, maintainability, and security of an application. Its comprehensive set of features empowers development teams to deliver robust, maintainable, and secure software.

The Importance of SonarQube in Software Development

Code Quality Improvement

One of the primary functions of SonarQube is to identify and report on code quality issues. It highlights areas where code can be improved, such as eliminating duplications, adhering to coding standards, and reducing complexity. By addressing these issues early in the development cycle, teams can produce code that is easier to read, understand, and maintain.

Enhanced Code Security

In today’s threat landscape, code security is non-negotiable. SonarQube helps developers identify and mitigate security vulnerabilities, such as SQL injection, cross-site scripting (XSS), and more. By pinpointing these vulnerabilities, development teams can patch them before they become entry points for malicious attacks, thereby strengthening the application’s security posture.

Code Maintainability

Maintaining software is an ongoing process, and SonarQube assists by flagging code smells and readability issues. These code smells, often indicative of suboptimal coding practices, can lead to confusion and inefficiency. By eliminating them, teams can ensure their code remains manageable and adaptable over time.

Technical Debt Reduction

SonarQube calculates technical debt, representing the effort required to fix identified issues. By reducing technical debt, teams can allocate more resources to building new features and functionality rather than constantly addressing code problems.

Seamless CI/CD Integration

SonarQube seamlessly integrates into CI/CD pipelines, automating code analysis with each commit. This integration ensures that code quality and security checks are an integral part of the development process, preventing issues from slipping through to production and streamlining development workflows.

Collaboration and Reporting

Collaboration within development teams is crucial for success, and SonarQube facilitates this by providing a centralized platform to track and prioritize code issues. The tool also generates comprehensive reports and metrics that can be used for auditing, reporting, and decision-making.

Compliance and Customization

SonarQube allows organizations to define and enforce coding standards, making it easier to comply with industry regulations and internal guidelines. Moreover, the platform is highly customizable, accommodating the specific needs of different development environments and projects.

Installing SonarQube

We’ll use Docker Compose to simplify the installation of SonarQube. Here’s a step-by-step guide:

Step 1: Installing Docker

Before you install Docker Engine for the first time on a new host machine, you need to set up the Docker repository. Afterward, you can install and update Docker from the repository.

sudo apt update

Next, install a few prerequisite packages which let apt use packages over HTTPS:

sudo apt install apt-transport-https ca-certificates
curl software-properties-common

Then add the GPG key for the official Docker repository to your system:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

Add the Docker repository to APT sources:

sudo add-apt-repository "deb [arch=amd64] 
https://download.docker.com/linux/ubuntu focal stable"

This will also update our package database with the Docker packages from the newly added repo.

Make sure you are about to install from the Docker repo instead of the default Ubuntu repo:

apt-cache policy docker-ce

Notice that docker-ce is not installed, but the candidate for installation is from the Docker.

Finally, install Docker:

sudo apt install docker-ce

Check the status of docker:

sudo systemctl status docker

Step 2: Installing Docker-Compose

We don’t need to do much while installing docker-compose. Just follow these steps:

sudo apt-get update -y
sudo apt-get install docker-compose -y

Check your docker-compose version after its installed:

sudo docker-compose --version

Step-3: Add ubuntu user to the docker user group

Next, we will add the ubuntu user to a docker group so that we can run our docker commands without using the “sudo” prefix.

Create a docker group

sudo groupadd docker

Add the user: “ubuntu” to the docker group which we just created.

sudo usermod -aG docker ubuntu

Finally, we will just disconnect and reconnect to our instance again from the command prompt terminal to enable the changes.

Initially you won’t have any images and containers.

To view images:

docker images

To view running containers:

docker ps

Step-4: Create a docker-compose file and start the Sonar server

In order to quickly configure and manage the SonarQube server we will be using the docker-compose file which will set up a sonar instance along with the postgres database.

Lets configure docker-compose.yml and start up our containers

sudo mkdir sonarserver
cd sonarserver
sudo nano docker-compose.yml

Now insert the following code into it:

version: '3'

services:
  # SonarQube service
  sonarqube:
    image: sonarqube:latest
    container_name: sonarqube
    ports:
      - "9000:9000"
    environment:
      - SONARQUBE_JDBC_URL=jdbc:postgresql://db:5432/sonar
      - SONARQUBE_JDBC_USERNAME=sonar
      - SONARQUBE_JDBC_PASSWORD=sonar
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions
      - sonarqube_logs:/opt/sonarqube/logs
      - sonarqube_temp:/opt/sonarqube/temp
    depends_on:
      - db
    networks:
      - sonarnet


  # PostgreSQL service
  db:
    image: postgres:latest
    container_name: postgres
    environment:
      - POSTGRES_USER=sonar
      - POSTGRES_PASSWORD=sonar
      - POSTGRES_DB=sonar
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - sonarnet


networks:
  sonarnet:
    driver: bridge


volumes:
  sonarqube_data:
  sonarqube_extensions:
  sonarqube_logs:
  sonarqube_temp:
  postgres_data:

Now lets start our containers:

docker-compose up  –d

and check the status:

docker images

docker ps

From this we can see that our container is successfully up and running on port 9000.

Connect to our Sonar server using the instance public-ip address along with the port which we had specified: 9000

In my case, it will be http://20.244.43.0:9000

The default username and password will be “admin” for the sonar server, post initial login, it will prompt us to update the default password.

This is the default dashboard of the sonarqube.!!!

Sonarqube integration with jenkins

1. Go to Jenkins dashboard. Install SonarQube Scanner Plugin in Jenkins (Manage Jenkins > Manage Plugins > Available > Search for SonarQube Scanner)

2. Configure SonarQube home path
Go to Manage Jenkins –> Global Tool Configuration –> SonarQube Scanner (Refer below image)

3. Configure sonar auth token

Log in into your SonarQube Server and find the following under the user bar and Go to My Account –> Security –> Generate Token

4. Go to Manage Jenkins –> Configure Systems –> SonarQube Servers

Add server authentication token as following.

Save the configuration, Now, your SonarQube integration is completed with Jenkins, next you have to create your new Jenkins job with sonar stage, and publish your code quality details in SonarQube.

Results:

As a result we can see the SonarQube dashboard with analyzed results.

That’s it!! Its really easy to install Sonarqube using docker and integrate with jenkins Server.