/sonarqube

sonarqube

============ SonarQube

-> SonarQube is used for Code Quality Checking

-> SonarQube is called as Code Review Software

-> SonarQube is Free (Community Edition)

-> SonarQube is developed using Java language

-> SonarQube supports 20+ programming languages for Code Review

Ex: Java, C#, Python, Node JS, PHP, Java Script, TypeScript, C, C++ etc....

========================================== SonarQube will identify below things in the code

  1. Bugs (These bugs will break application functionality)

  2. Vulnerabilities (Security issues, hackers can attack)

  3. Code Smells (issues in code, recommended to fix but not danger)

  4. Duplicate Code (repeated lines of code)

  5. Code Coverage (howmany lines of code is tested in unit testing)

Note: For every project code review will happen in real-time

-> With the help of code review we can identify our mistakes and we can correct them

====================== SonarQube Server Setup

Minimum RAM : 2 GB

-> Create EC2 instance with 4 GB RAM (t2.medium)

-> Connect with EC2 instance using MobaXterm

-> Execute below commands in Ec2 instance

$ sudo su $ cd /opt $ sudo yum install java-1.8.0-openjdk $ java -version $ wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.8.zip $ unzip sonarqube-7.8.zip

Note: SonarQube server will not run with root user

-> Create new user in ec2 instance $ useradd sonar

-> Configure sonar user without pwd in suderos file

$ visudo

-> Configure below line in sudoers file

sonar ALL=(ALL) NOPASSWD: ALL

-> Change ownership & file permissions for sonar folder $ chown -R sonar:sonar /opt/sonarqube-7.8/ $ chmod -R 775 /opt/sonarqube-7.8 $ su - sonar

-> Goto bin directory then goto linux directory and run sonar server

$ cd /opt/sonarqube-7.8/bin/linux-x86-64

$ sh sonar.sh start

-> Check sonar server status

$ sh sonar.sh status

******************** Note: Sonar Server runs on 9000 port number by default ******************************

-> Enable 9000 port number in EC2-Instance Security Group as Inbound Rule

-> Now we can access our SonarQube server using below URL

	URL : http://EC2-Public-IP:9000/

Note: Default credentials of sonar

	uname: admin
	pwd: admin

=================================== SonarQube Integration with Maven Project

-> configure below properties in pom.xml file

http://3.110.77.68:9000/ admin admin

-> execute below maven goal

$ mvn sonar:sonar

Installing Sonar Software in Local

-> Download Sonar Software from below url

URL : https://www.sonarqube.org/downloads/
Version : 6.3.1 (historical version download)

-> Start Sonar Server by executing StartSonar.bat

Location : Sonar-Folder/bin/windows64/StartSonar.bat

-> Once Sonar Server is started it will display Sonar up and running message in console.

-> By Default Sonar Server will run on 9000 port number (We can customize port number)

Location : sonar-folder/conf/sonar.properties file

-> Open Sonar Server Dashboard using below URL

URL : http://localhost:9000/

Running Project with SonarQube Server

-> Add below 1 plugin in project pom.xml file (in tag)

org.sonarsource.scanner.maven sonar-maven-plugin 3.4.0.905

-> Do Maven build of project with package goal(right click run as ..maven build ..then type clean package command )

mvn clean package

-> For project do maven build with below goal To Do Code Review

mvn sonar:sonar

-> After maven build completed, check sonar server dashboard. #Bugs: bugs means problem will come #Vulnebirability: vulnebirality means security issue (like do not use PWd name any variable better to use Passzwd) #Code Smell : code smell means suggestations and recommendations

In sonar cube folder after extraction open conf folder there is a sonarqube properties file , in that file all the features are available ,we can change the properties also by uncomment and edit like server.port=1234, basically sonar cube default port number is 9000

To start sonar …click on start.sonar.bat

Lessons Learnt in Code Review

  1. String which we want to compare should present at left side

    if (userAcc.getAccStatus().equals("LOCKED")) // bad-practise if ("LOCKED".equals(userAcc.getAccStatus())) // good practise

  2. Replace StringBuffer with StringBuilder to improvate performance

     StringBuffer -> is synchronized (only one thread can access at a time)

 StringBuilder -> is not-syncronized (multiple threads can access at a time)

  3. Either log or re-throw the exception

     //bad practise
 catch (Exception e) {
 	e.printStackTrace( );
 }

 //good practise
 catch (Exception e) {
 	logger.error("Exception :: "+e.getMessage(), e);
 }

  4. Instead of Math.random( ) use java.util.Random.nextInt ( ) method to generate random number

  5. Don't use "password" or "pwd" in our code directley. It will be considered as vulnerable. Use "pazzword" or "pzzwd" for variable names.

  6. Declare variables before constructor

  7. Remove un-necessary curly braces from lambda when we have single line

  8. follow camel case for variables names declaration

  9. Declare private constructor for class if it is not getting instantiated anywhere.