preface
Recently, our team had several online problems in the production environment, some of which were serious and directly affected the use of users’ functions, which made the leaders unhappy and asked me to find ways to improve the code quality. At that time, SonarQube, the magic tool for testing the code quality of the project, appeared in our sight.
What does sonarqube do
SonarQube® is an automated code review tool designed to detect errors, bugs and code smells in your code. It can be integrated with your existing workflow to enable continuous code reviews across project branches and extract requests. Through plug-in form, can support including Java, C#, C/C++, PL/SQL, Cobol, JavaScrip, Groovy and other more than 20 programming languages code quality management and detection. Sonarqube can detect code quality from the following seven dimensions, and as a developer you need to deal with at least the first five.
Sonarqube can regulate code writing through code rule checking tools such as CheckStyle.
1.2 Existing Defects SonarQube can detect potential defects through code rule detection tools such as Findbugs.
1.3 Poor complexity distribution files, classes, methods, etc., will be difficult to change if their complexity is too high, making them difficult for developers to understand, and without automated unit testing, changes to any component in the program will likely result in the need for comprehensive regression testing.
1.4 Duplication Clearly a program that contains a lot of copy-and-paste code is of poor quality, and Sonarqube can show you where the source code is heavily duplicated.
1.5 Insufficient or Too many Comments None of the comments will make the code less readable, especially when staff changes inevitably occur. Too many comments will cause developers to spend too much time reading comments, which defeats the purpose.
1.6 Lack of Unit Testing Sonarqube makes it easy to count and display unit test coverage.
Sonarqube can find loops, show interdependencies between packages and classes, detect custom architectural rules, manage third-party JAR packages, detect the application of individual task rules with LCOM4, and detect coupling. Sonarqube makes it easy to count and display unit test coverage.
Overview:
In a typical development process:
1. Developers develop and merge code in the IDE (preferably using SonarLint to receive immediate feedback in the editor) and then check their code into ALM.
2. The organization’s Continuous integration (CI) tools check out, build, and run unit tests, while the integrated SonarQube scanner analyzes the results.
3. The scanner publishes the results to the SonarQube server, which provides feedback to the Developer via the SonarQube interface, email, in-IDE notifications (via SonarLint), and decorations on pull or merge requests (when using Developer Edition and later).
SonarQube instances contain three components:
SonarQube server runs the following process:
1. Web server that provides SonarQube user interface.
2. Elasticsearch-based search server.
3. The computing engine processes the code analysis report and stores it in the SonarQube database.
The database stores the following:
Code quality and security metrics and issues generated during code scanning.
SonarQube instance configuration.
One or more scanners running on a build or continuous integration server can analyze the project.
How to build sonarqube
The official website: www.sonarqube.org/, choose the documents menu
You can select the version on the documentation page that appears. The latest version is 8.5. I tried three versions:
8.5: the latest version requires JDK11 installed and supports only oracle, sqlserver, and PostgreSQL databases
7.9: it is a long-supported version, very documentation, also requires JDK11 installation, and only supports oracle, sqlserver, and PostgreSQL databases.
7.6: it is an older version that requires only JDK8 installation and supports oracle, sqlserver and PostgreSQL databases, as well as mysql databases.
At first we installed version 7.6 to save trouble, because we already use mysql database, there is no need to install other databases, and JDK8 is also used, the installation cost is minimal. However, it was later discovered that if you need to install the Chinese version plug-in, or mybatis plug-in, these plug-ins require SonarQube version must be above 7.9, and need to run above JDK11. On balance, we decided to install the latest version.
2.1 installation JDK11 and postgreSQL JDK download address: www.oracle.com/java/techno…
The INSTALLATION of the JDK is relatively simple, and I won’t go over it here. There are many tutorials available online.
PostgreSQL itself claims to be the most advanced open source database in the world, with many features designed to help developers build applications, administrators protect data integrity and build fault-tolerant environments, and help you manage your data regardless of the size of your dataset. In addition to being free and open source, PostgreSQL is also highly extensible. For example, you can define your own data types, build custom functions, and even write code in a different programming language without recompiling the database.
PostgreSQL can install and use parameters: www.jianshu.com/p/7d133efcc…
2.3 Installing Sonarqube from a ZIP file
SonarQube will not run on root unix-based systems, so create a dedicated user account for SonarQube if necessary.
$sonarqube-home (below) refers to the path to the unzipped directory of the SONARQUBE distribution.
Set up access to the database edit $SONARQUBE-HOME/conf/sonar.properties to configure the database Settings. Templates are available for each supported database. Simply uncomment and configure the desired template, then comment out the line dedicated to H2:
sonar.jdbc.username=sonarqube
sonar.jdbc.password=mypassword
sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube
Copy the code
Configure the Elasticsearch storage path. By default, Elasticsearch data is stored in $SONARQUBE /home/data, but it is not recommended to use it in production instances. Instead, you should store this data somewhere else, preferably in a dedicated volume with fast I/O. In addition to maintaining acceptable performance, this simplifies SonarQube upgrades.
Edit $SONARQUBE HOME/conf/sonar.properties to configure the following Settings:
sonar.path.data=/var/sonarqube/data
sonar.path.temp=/var/sonarqube/temp
Copy the code
The user used to start SonarQube must have read and write permissions to these directories.
The default port for starting the Web server is 9000, and the context path is /. These values can be changed in $SONARQUBE HOME/conf/sonar.properties:
Sonar. Web. Host = 192.0.0.1 sonar. Web. Port = 80 sonar. Web. The context = / sonarqubeCopy the code
Execute the following script to start the server:
-
On Linux: bin/linux-x86-64 / sonary.sh start
-
On macOS: bin/macosx-universal-64 / sonary.sh start
-
On Windows: bin/windows-x86-64 / startsonar.bat
Adjust your Java installation If you have multiple Java versions installed on your server, you may need to explicitly define which Java version to use.
To change the Java JVM used by SonarQube, edit $SonarQube /home/conf/wrapper.conf and update the following line:
Wrapper.java.com mand=/path/to/my/ JDK /bin/ Java You can now browse SonarQube at http:// localhost: 9000 (the default system administrator credentials are admin/ admin). The first visit to this address will stay on the page for a while, because SonarQube will do some initialization, including building tables into an empty database
Page to run after successful initialization:
Multiple tables are generated at the same time:
2.3 Installing Plug-ins According to personal needs, You can install Chinese plug-ins. Sonarqube has an English interface by default.
Github address: github.com/SonarQubeCo…
After downloading, compiling and packaging the project, place the JAR in $SONARQUBE-HOME\ Extensions \plugins
Run./sonar.sh restart to restart the Sonarqube service.
In addition, there is the MyBatis plugin
Gitee address: gitee.com/mirrors/son…
I’ve used it personally and don’t think it works very well, but you can use it to extend what you need.
Three Sonarqube how to use
3.1 Integrating Sonarqube into Maven Project Add the following configuration to Maven settings. XML:
<pluginGroups> <pluginGroup>org.sonarsource.scanner.maven</pluginGroup> </pluginGroups> <profiles> <profile> <id>sonar</id> <activation> <activeByDefault>true</activeByDefault> </activation> <properties> <! -- Optional URL to server. Default value is http://localhost:9000 --> <sonar.host.url> http://localhost:9000 </sonar.host.url> </properties> </profile> </profiles>Copy the code
Then add the configuration to the pom.xml file:
<plugin> <groupId>org.sonarsource.scanner.maven</groupId> <artifactId>sonar-maven-plugin</artifactId> < version > 3.3.0.603 < / version > < / plugin >Copy the code
Run code detection command in project directory: MVN clean complie -u-dmaven.test. skip=true SONAR :sonar
See these words, it means that the test is successful
Then check the detection report in the sonar background
Reports include: bugs, bugs, odors, security hotspots, coverage, repetition rates, etc., to quickly locate problematic code.
Click on a bug to see the code in question:
Problem with not closing the input stream:
Null pointer problem:
Incorrect usage:
SimpleDateFormat should not be defined as static.
There are too many types of code problems detected to list here. In a word, remember a sentence: Sonar is awesome. It can not only detect code problems, but also make better suggestions for bad code writing and usage.
eggs
Sonarqube is so powerful that only its basic uses are described above. In general, we can use Jenkins to configure the items requiring code inspection, download the code from GitLab, execute maven compile package code test command, and directly generate the report. Jenkins triggers the execution of code inspection when: 1. There is code submission, or specified such as the test branch has code submission, the number of projects can do so. 2. Scheduled execution. Our company is configured to schedule execution at dawn, because Jenkins has deployed too many projects, so as not to affect the normal project deployment.
In addition, we can customize the execution rules of code detection and develop plug-ins according to actual project requirements. For example, we developed mybatis plug-in to scan the inconsistent names of Mapper and XML files.
In conclusion, sonar is very powerful and highly recommended to use in your projects, it can really reduce a lot of hidden bugs and improve the quality of the code, if you have used it you will find its benefits. If you want to know more about the use of SONAR, you can reply: SONAR, you can get more detailed usage. Source: quellanan.blog.csdn.net/article/det…
One last word (attention, don’t fuck me for nothing)
If this article is of any help or inspiration to you, please scan the QR code and pay attention to it. Your support is the biggest motivation for me to keep writing.
Ask for a key three even: like, forward, look.
Attention to the public: [Su SAN said technology], in the public account reply: interview, code artifact, development manual, time management have excellent fan welfare, in addition reply: add group, can communicate with many BAT big factory seniors and learn.