SonarQube analysis - GeoscienceAustralia/egeodesy GitHub Wiki
- Documents - http://docs.sonarqube.org/
- Geoscience Sonar - https://sonar.gadevs.ga
- Run out with -
mvn clean test sonar:sonar
# or after any goal that runs test
SSL (HTTPS)
Communication to Sonar is over SSL (HTTPS) so a certificate is needed. The sonar plugins for IDEs seem to manage this themselves, however to upload to Sonar via maven (the command-line), some setup to handle the certificates is needed on the development machines:
- Go to https://sonar.gadevs.ga and download the certificate. Click the lock icon, do whatever to find the place and download the certificate somewhere. See http://superuser.com/a/97203/233811.
- On the command-line (for *Nix / MacOSX - something similar for Windows) do this:
# Assuming you don't already have a keystore or none with the name `~/.trust.jks`
keytool -v -alias SonarServer -import \
-file _Sonar Server Cert_ \
-keystore /home/users/_user_/trust.jks
# Enter password - eg. changeit
- Now the truststore needs to be used in the maven call. Add this to your
~/.bash_profile
MAVEN_OPTS="$MAVEN_OPTS -Djavax.net.ssl.trustStore=/home/users/_user_/.trust.jks \
-Djavax.net.ssl.trustStorePassword=changeit \
-Dmaven.wagon.http.ssl.insecure=true \
-Dmaven.wagon.http.ssl.allowall=true"
The maven.wagon.*
properties aren't for this purpose but to allow us to connect to the Maven repositories without using SSL. It is included here so as to show the full MAVEN_OPTS
that we should be using.
Maven Setup Information
http://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Maven
Special parts of the pom.xml
include:
- There are
sonar
andjacoco
(java code coverage) properties - One of these is a login token (
sonar.login
). Individual users generate these tokens through Sonar. They can be easily revoked. Developers should define their own and add toMAVEN_OPTS
environment variable asSONAR_LOGIN
. Bamboo builds uses its own. sonar-maven-plugin
is the plugin for connecting to and interacting with the SonarQube serverjacoco-maven-plugin
is a separate plugin used for code coverage. See thejacoco
orsonar.jacoco
properties.- A full list of goals with
mvn help:describe -Dplugin=org.jacoco:jacoco-maven-plugin -Ddetail
- It works in tandem with the
maven-surefire-plugin
and themaven-failsafe-plugin
via the${surefireArgLine}
and${failsafeArgLine}
argline
s respectively - Listeners are defined in those plugins to perform the instrumentation and analyses that enables the sonarQube report to show which lines in the source are covered
- The
jacoco-maven-plugin
defines rules and including the theoretical ability to fail a build if these aren't met (however in my brief testing I couldn't get it working). See http://docs.sonarqube.org/display/SONAR/Analysis+Parameters.
Sonar Configuration
Adding Rules
- A large number of rules are defined and it is unlikely we would add any more. See
Rules
tab up the very top. - However, the rule may not be in the current Quality Profile. You can see the active Quality Profile by selecting a project and on the right hand side the Quality Profile is displayed. Clicking on this will show how many active rules there are
- If the rule you desire is not in the Quality Profile then find it under the Rules Tab (you can narrow the search on the left hand side, however I can't find a way to show rules that AREN'T in the profile).
- Select the Rule and down the bottom it will list the Quality Profiles it is in. If it isn't in the one we are using (Sonar Default) then click
Activate
and add to it.
Isolating Issues
- Choose a project, go to the Issues page using the Issues tab up the top
- Narrow focus using selection boxes down the side along with selecting a specific item. For example
Rule > Public types, methods and fields (API) should be documented
Clients
This is a good way to run analysis before pushing to the server to be merged with Master.
- Intellij, Eclipse and Visual Studio - http://www.sonarlint.org/intellij/
- Install the plugin
- Generate your own token through your https://sonar.gadevs.ga/ login
- You can run Sonar analysis on the current file or all files you have open