Examine your code with Docker and SonarQube

Static code inspection, or static supply code evaluation, as it’s fondly referred to as, is a debugging approach adopted throughout code opinions the place this system being debugged just isn’t executed.

There are a number of code evaluation instruments obtainable to software program engineers, similar to SonarQube, Coverity, and Codacy.

On this article, we’ll focus on the way to arrange SonarQube inside Docker, present the way to configure it on your language of alternative, and produce studies on code high quality. We’ll additionally introduce the complete SonarQube toolchain and show the way to use SonarQube on Docker to construct and take a look at a Go software.

Contents

Stipulations

To comply with the tutorial portion of this text, you’ll want the next:

• Working information of a programming language (we’ll use Go on this article)
• Improvement surroundings on your most popular programming language
• Docker put in in your machine
• Ample disk house for putting in SonarQube.

What’s SonarQube?

SonarQube is a well-liked steady inspection device for code high quality and code safety that goals to assist growth groups ship higher software program. It features as an computerized code evaluate device with assist for greater than 30 programming languages.

SonarQube simply interfaces with CI pipelines and DevOps builds to make code inspection swift and environment friendly for engineers. Additionally it is self managed, satisfying the necessity for builders to ship high quality and maintainable code at a quick tempo.

Understanding the Sonar ecosystem

SonarQube is a core ingredient of the Sonar ecosystem, together with SonarLint and SonarCloud. The complete Sonar ecosystem is concentrated on serving to builders write clear code that’s extremely maintainable.

The ecosystem includes options for particular person builders, groups, and enterprises. There may be additionally an lively neighborhood during which open supply contributors can contribute to enhancing the instruments.

The SonarLint resolution could be put in to research code in real-time and acquire stay suggestions on the go. SonarCloud permits builders to evaluate and report adjustments to code on model management software program, in addition to consider code for manufacturing. SonarQube, which we’ve seen, has the identical options as SonarCloud, with the distinction being enterprise options as towards self-managed ones.

Understanding how SonarQube features

SonarQube presents instruments for static code evaluation in detecting bugs, eliminating safety vulnerabilities, automating code evaluate, and code high quality assurance. SonarQube depends on a terminal and its CLI device, named SonarScanner, to run and report take a look at outcomes.

Technically, you first obtain the SonarQube picture from the Docker Hub. After, you need to set up SonarScanner CLI on your working system.

Tasks are created and examined on the SonarQube dashboard. To entry the dashboard, you should unlock a port to behave as a server and level the SonarQube docker container to that port, accessible by way of the localhost IP handle.

SonarQube may have entry to check a undertaking solely when added to the undertaking’s take a look at folder. The SonarScanner device, which studies to SonarQube, will need to have a corresponding port quantity.

Code evaluation with SonarQube

Now that we’ve a greater understanding of what SonarQube is and the way it features, let’s see the way to use SonarQube on Docker for code protection, scanning vulnerabilities, and code evaluation.

Putting in SonarQube on Docker

Getting SonarQube on Docker merely includes grabbing the picture from Docker Hub. If you happen to use a Linux machine, you’ll have to set the really useful base configurations utilizing the instructions supplied by Docker beneath “Docker Host Necessities”.

Subsequent, launch the Docker daemon in a separate terminal. On the terminal, run the under command to start out a server:

docker run -d --name sonarqube -p 8000:8000 sonarqube

You may entry the SonarQube occasion with the host IP handle and the desired port (localhost:8000, in our instance).

When the SonarQube portal homepage seems, go forward and log in; use the default username and password (“admin”). Subsequent, you’ll be requested to replace your password:

Viola! You’re prepared to start utilizing SonarQube on Docker.

Putting in SonarScanner

SonarScanner is a CLI device that’s used to run SonarQube assessments. To view the take a look at outcomes, SonarScanner sends suggestions from the take a look at to the SonarQube server so that you can evaluate. You may obtain SonarScanner right here.

Choose your working system and obtain the file.

After extracting the contents of the zip file, navigate to conf/sonar-scanner.properties and make sure the default server port is similar as your SonarQube port. This may permit SonarScanner to ship evaluation outcomes to SonarQube.

Now, add SonarScanner’s bin folder to your machine’s surroundings $PATH. On Home windows, the process includes following these steps:

1. Obtain the Home windows zip file
2. Rename the file sonar-scanner
3. Transfer the file to your most popular listing
4. Add that listing as a brand new surroundings variable within the $PATH
5. Confirm your set up with a brand new terminal and execute the next command:

If you happen to require extra details about debugging within the SonarScanner CLI, use both of those flags along with your instructions: -X, --verbose, or -Dsonar.verbose=true.

Alternatively, you possibly can run SonarScanner from the Docker picture with the under command:

docker run 
    --rm 
    -e SONAR_HOST_URL="<http://$>{SONARQUBE_URL}" 
    -e SONAR_LOGIN="myAuthenticationToken" 
    -v "${YOUR_REPO}:/usr/src" 
    sonarsource/sonar-scanner-cli

Constructing and testing a program with SonarQube

Up to now, we’ve put in two Sonar companies on Docker. Now, let’s see the way to use them in precise eventualities.

Creating a brand new SonarQube undertaking

To create a brand new SonarQube undertaking, run the SonarQube container on Docker and navigate to the homepage by way of localhost.

Subsequent, click on the Tasks bar on the homepage, and resolve the way you need to create a brand new undertaking. Add a undertaking key and show identify for the demo.

For this demo, we’ll use the handbook mode. After clicking Handbook, you’ll see fields displayed for the Undertaking show identify and Undertaking key:

After finishing these fields, click on Set Up. Within the subsequent window, choose Regionally. Within the window after that, click on Generate to generate a token on your undertaking. Then, click on Proceed to complete up with the tokenization.

Subsequent, choose your most popular language. For this undertaking, we’ll use Go, so we’ll choose the Different possibility.

Now, choose your OS and comply with the stipulated directions.

Producing a SonarQube token

Tokens are utilized in each undertaking. To generate a token, click on on the Person icon to the fitting of the search bar. Then, click on on the Safety tab and generate a brand new token.

The token required for our undertaking is already obtainable within the undertaking’s web page beneath Run evaluation in your undertaking.

Testing a pattern software

As talked about above, we’ll use a pattern program constructed with Go to show the usage of SonarQube for static code evaluation. In an present undertaking use case, you solely have to navigate to the take a look at folder in your codebase to make use of SonarScanner.

Create a program supply file and write this system you want to examine, together with this system’s take a look at file.

Our addition program is solely the next:

package deal adder

func AddNumbers(x, y int) int {
    return x + y
}

We’ll use the next take a look at for this system:

package deal adder_test

import (
    "testing"

    "github.com/username/sonarqube-code-test/adder"
)
func TestAddNumbers(t *testing.T) {
    resolution := adder.AddNumbers(6, 5)
    anticipated := 11
    if resolution != anticipated {
        t.Error("result's incorrect: anticipated 5, obtained", resolution)
    }
}

Analyzing the code

Now, we’ll make use of the SonarScanner we downloaded for analyzing the code. Begin by configuring the SonarScanner CLI device with an entry token for the admin account:

sonar-scanner -Dsonar.login=myAuthenticationToken

Out of your terminal, navigate to the folder the place your code’s take a look at file is saved and run the command supplied for the undertaking:

If you happen to generated the token your self for a specific undertaking, simply edit and use the next code:

sonar-scanner -D sonar.host.url=http://localhost:9000 -D sonar.projectKey=<Your-Undertaking-Key> -D sonar.projectName="Your Undertaking Title" -D sonar.projectVersion=<SemVer> -D sonar.login=<Your-Token-Right here> -D sonar.take a look at.exclusions=assessments/**/*.cs

After working the above command, the take a look at outcomes will present on the terminal’s display screen, with an EXECUTION SUCCESS message, like so:

Now, go to the SonarQube dashboard and navigate to Tasks. You’ll discover the take a look at outcomes there:

Congratulations, you’ve efficiently run a take a look at with SonarQube on Docker!

Conclusion

On this article, we supplied an outline of the Sonar ecosystem and the way SonarQube features. We additionally demonstrated the way to set up SonarQube on Docker after which use it to construct and take a look at a Go software.

Whereas this text makes use of SonarQube regionally, it may well ideally be run on a Kubernetes cluster deployed to any variety of environments. SonarQube will act as a security floor for builders within the growth surroundings. It will also be used within the manufacturing surroundings to verify clear code. Builders and QA might discover SonarQube’s SonarLint helpful for debugging code.