How to Evolve an Application to Make It More Robust and Maintainable - Add a Tool to Assess Code Quality

21-01-2024 2 min read qualitytestCICDSonarqubeOwaspGradleHow to evolve an application to make it more robust and maintainable

Foreword

In the previous articles of this series we looked at how to add tests and how to run them automatically via the CI/CD; we configured in GitHub Actions. In this article we’ll continue to improve the quality of our project using Sonarqube.

What are Sonarcloud and Sonarqube

More information could be found in this post

Integration in Java project with Gradle

Declare plugin

  • Add plugin
1plugins {
2    id("org.sonarqube") version "4.1.0.3113"
3}
4
  • Add configuration
 1sonar {
 2    properties {
 3        property "sonar.projectkey", "happraisal"
 4        property "sonar.projectName", "happraisal"
 5        property "sonar.host.url", "http://localhost:9000"
 6        property "sonar.coverage.jacoco.xmlReportPaths", "build/reports/jacoco/all-tests/jacocoAllTestReport.xml"
 7        property "sonar.sources", "src/main,build.gradle,gradle"
 8        property "sonar.tests", "src/test,src/integration-test,src/system-test"
 9        property "sonar.junit.reportPaths", "build/test-results/test,build/test-results/integrationTest,build/test-results/systemTest"
10    }
11}

Export results

From IntelliJ, via configuration or terminal you can execute:

1clean build jacocoTestReport sonar -Dsonar.login=<<YOUR_ID>> -Dsonar.password=<<YOU_PASSWORD>>
2

If you have created a token you can run

1./gradlew clean build jacocoTestReport sonar -Dsonar.login=<<TOUR_TOKEN>>
2

Multi module

In multi-module projects each module must execute its own sonar task.

Tools around Sonar

Sonar API

Sonar provides some APIs to manage projecst, quality profiles, quality gates and other.

You can find more details here . Before you can call these APIs, you have to create a token. You can use http capable tools such as Postman or curl.

To create a token, login to the SonarQube or SonarCloud web user interface and go to your profile, then go to the security tab and create a token.

For some APIs such as

  • /api/qualitygates/select
  • /api/projects/search

you have to create a token with administrator authorizations.

SonarLint

SonarLint is a tool that can be used to analyze source code.

Configuration

  • Add a SonarLint plugin to IntelliJ
  • Open the SonarLint settings in Tools/SonarLint menu

sonarlint-settings.png

  • Choose a connection type, for this article we chose SonarCloud.

sonarlint-create-connexion.png

  • Click on the online service link to connect to Sonarcloud service

sonarlint-sonarcloud-login.png

  • Set the token or, if you don’t have one yet, create one from the link here

sonarlint-sonarcloud-connexion-token.png

  • Select your organization

By default, your organization is your GitHub account

sonarlint-sonarcloud-organization-choice.png

  • Check the Receive notifications from SonarCloud option

sonarlint-sonarcloud-configuration-notification.png

  • Approve the creation

sonarlint-sonarcloud-success.png

  • Bind the project with the connection

sonarlint-bind-project-with-connexion.png

How to use SonarLint

In IntelliJ there is a SonarLint window intellij-sonarlint-window.png

In this window:

  • From the Current File tab, you can analyze the file selected and displayed in IntelliJ
  • From the Report tab, you can analyse just the changed files or all the files in the project.

If you have any remarks on the content or the form, you can leave a comment…it is by exchanging that we progress.

Author : Emmanuel Quinton Reviewer : Daniele Cremonini

CC BY-NC-ND 4.0
How-To: Use Sonarcloud

Related Posts

Comments