SonarQube analysis - GeoscienceAustralia/egeodesy GitHub Wiki

SSL (HTTPS)

Communication to Sonar is over SSL (HTTPS) so a certificate is needed. The sonar plugins for IDEs seem to manage this themselves, however to upload to Sonar via maven (the command-line), some setup to handle the certificates is needed on the development machines:

  1. Go to https://sonar.gadevs.ga and download the certificate. Click the lock icon, do whatever to find the place and download the certificate somewhere. See http://superuser.com/a/97203/233811.
  2. On the command-line (for *Nix / MacOSX - something similar for Windows) do this:
    # Assuming you don't already have a keystore or none with the name `~/.trust.jks`
    keytool -v -alias SonarServer -import \
    -file _Sonar Server Cert_ \
    -keystore /home/users/_user_/trust.jks
    # Enter password - eg. changeit
  1. Now the truststore needs to be used in the maven call. Add this to your ~/.bash_profile
    MAVEN_OPTS="$MAVEN_OPTS -Djavax.net.ssl.trustStore=/home/users/_user_/.trust.jks \
    -Djavax.net.ssl.trustStorePassword=changeit \
    -Dmaven.wagon.http.ssl.insecure=true \
    -Dmaven.wagon.http.ssl.allowall=true"

The maven.wagon.* properties aren't for this purpose but to allow us to connect to the Maven repositories without using SSL. It is included here so as to show the full MAVEN_OPTS that we should be using.

Maven Setup Information

http://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+Maven

Special parts of the pom.xml include:

  • There are sonar and jacoco (java code coverage) properties
  • One of these is a login token (sonar.login). Individual users generate these tokens through Sonar. They can be easily revoked. Developers should define their own and add to MAVEN_OPTS environment variable as SONAR_LOGIN. Bamboo builds uses its own.
  • sonar-maven-plugin is the plugin for connecting to and interacting with the SonarQube server
  • jacoco-maven-plugin is a separate plugin used for code coverage. See the jacoco or sonar.jacoco properties.
  • A full list of goals with mvn help:describe -Dplugin=org.jacoco:jacoco-maven-plugin -Ddetail
  • It works in tandem with the maven-surefire-plugin and the maven-failsafe-plugin via the ${surefireArgLine} and ${failsafeArgLine} arglines respectively
  • Listeners are defined in those plugins to perform the instrumentation and analyses that enables the sonarQube report to show which lines in the source are covered
  • The jacoco-maven-plugin defines rules and including the theoretical ability to fail a build if these aren't met (however in my brief testing I couldn't get it working). See http://docs.sonarqube.org/display/SONAR/Analysis+Parameters.

Sonar Configuration

Adding Rules

  1. A large number of rules are defined and it is unlikely we would add any more. See Rules tab up the very top.
  2. However, the rule may not be in the current Quality Profile. You can see the active Quality Profile by selecting a project and on the right hand side the Quality Profile is displayed. Clicking on this will show how many active rules there are
  3. If the rule you desire is not in the Quality Profile then find it under the Rules Tab (you can narrow the search on the left hand side, however I can't find a way to show rules that AREN'T in the profile).
  4. Select the Rule and down the bottom it will list the Quality Profiles it is in. If it isn't in the one we are using (Sonar Default) then click Activate and add to it.

Isolating Issues

  1. Choose a project, go to the Issues page using the Issues tab up the top
  2. Narrow focus using selection boxes down the side along with selecting a specific item. For example Rule > Public types, methods and fields (API) should be documented

Clients

This is a good way to run analysis before pushing to the server to be merged with Master.

References