SonarQube

SonarQube is a market-leading open source platform used to evaluate and improve the quality of the source code of software applications and projects. It provides a comprehensive solution to identify and correct code issues, ensure compliance with coding best practices, and improve software security and reliability.

Main features

Static analysis of the code: SonarQube performs exhaustive static analysis of the source code for vulnerabilities, errors and quality problems without the need to run the application.

Vulnerability detection: Identifies common security vulnerabilities, such as SQL injections, data security vulnerabilities, authentication and authorization problems, among others.

Complexity measurement: Evaluates the complexity of the code, identifying areas that may be difficult to maintain and prone to errors.

Continuous Integration and Continuous Delivery (CI/CD): It can be easily integrated into CI/CD pipelines, enabling automatic code evaluation at every stage of the development cycle.

Code quality: Provides code quality scores and metrics, which helps teams maintain a high standard of quality.

Multiple language support: SonarQube supports a wide range of programming languages, including Java, C#, JavaScript, Python, Ruby and more.

Technical debt management: Identifies and prioritizes technical debt, allowing teams to address critical issues first.

Customizable dashboards: offers customizable dashboards and data visualizations for effective monitoring and decision making.

Scheduled scans: Allows the scheduling of regular scans to maintain code quality over time.

Integration with IDEs: Provides extensions to popular IDEs, allowing developers to identify and fix code problems as they write.

Safety and compliance: Helps meet safety and compliance regulations by identifying and resolving safety issues.

Integration with other tools: Integrates with other development tools, such as version control systems, project management and dependency management.

Usage

The first thing we are going to do is to create a project in SonarQube. To do so, access the SonarQube web interface and select "Create Project" -> "Manually". We can choose this option if we already have a project created in SonarQube or if we prefer to do it manually. We do not need to perform a global integration, since not all the projects we are going to analyze may be in the same repository provider, such as GitLab or GitHub.

This will take us to a window where we will be asked for the following information:

• Project Name
• Unique project key (Key).
• Main branch of the project.

With this data, we configure how we want to treat the new code. We have three options:

• "Previous version": Considers any changes since the previous version as new code.
• "Number of days": Consider as new code any change made in the last x days.
• "Branch of reference": Choose a branch as the basis for the new code.

Once the project is created, we proceed to integrate it with our Continuous Integration (CI) system. For this case, we will use GitLab CI. In the configuration, we generate a specific token for our project in SonarQube. This token will guide us through the necessary steps for integration.

The first step is to generate a token, where we can adjust its duration according to our needs. It is important to note this token, as once it is displayed, it will not be displayed again.

Then, we select the type of project we are using and we will be shown some adapted configurations. In our case, we will see how to send the results of the tests performed in the testing stage in order to easily visualize the coverage percentages.

Finally, we reach the last step and the system will be waiting for the first code commit for analysis. During the analysis, we can obtain information about bugs, problematic code, vulnerabilities, security reviews, duplicate lines and code coverage.