Difference between revisions of "SonarQube"

Latest revision as of 07:17, 16 May 2022

About code quality analysis

Why?

Code quality analysis helps you to make your code:

less error-prone
more sustainable
more reliable
more readable
more welcoming to new contributors

It is also a mandatory step for projects willing to enter the PolarSys Maturity Assessment, as the analysis process relies on code metrics extracted by SonarQube.

How?

Code quality analysis mainly relies on a set of tools that look at your code and give you hints. The most famous tools are Findbugs, PMD, Checkstyle; but also code coverage tools such as JaCoCo. JDT itself provides very powerful quality checks, but there are not enabled by default. You should go to Error/Warnings in preferences and replace all "ignore" by "Warning". You can (and should) enable such tools in IDE.

Code quality can also be analyzed out of the IDE, running those tools and using their reports to find out the "hot spots" in your code.

About SonarQube

SonarQube (formerly known as Sonar) is an open-source product which is used to gather several metrics about code quality, put them all in a single dashboard, and provide some tips to help you making your code better, more sustainable, more reliable, less bugged.

SonarCloud.io is the "cloud"-version of SonarQube hosted by SonarSource.

Setting up SonarQube/SonarCloud for Eclipse.org projects

Eclipse SonarQube server has been shutdown in early September 2020
Due to relatively low demand and to reduce our maintenance overhead, we retired the Eclipse SonarQube server (https://sonar.eclipse.org/) in early September 2020. We will support projects to migrate to https://sonarcloud.io.
Please open a HelpDesk issue for this.

If your project wants to use SonarCloud.io, please open a HelpDesk issue to request it. Please specify for which exact project this should be setup.

The webmaster/releng team will create the respective SonarCloud.io repository for your project and add a SONAR_TOKEN to your project's GitHub repo or the SONARCLOUD_TOKEN to your project's Jenkins instance.

Usage

"Automatic analysis is only available for GitHub repositories and only for a subset of languages. Java, C#, C, C++, Objective-C, and most other compiled languages are not eligible for automatic analysis, while Javascript, Typescript, Python, and other interpreted languages are."
See https://docs.sonarcloud.io/getting-started/github/#set-up-your-analysis

If the project's source code is hosted on GitHub, the built-in GitHub integration can be used for some languages (see https://docs.sonarcloud.io/getting-started/github/). Otherwise the project must have a Jenkins instance or use GitHub actions (see https://github.com/SonarSource/sonarcloud-github-action).

See how to get a dedicated JIPP. You should first setup a normal build to make sure the project compiles correctly.

In Jenkins your build job needs to be modified as follows:

Job config
- “Use secret text(s) or file(s)
  - Add -> Secret text
    - Select “SonarCloud token”
    - Variable: SONARCLOUD_TOKEN

"Prepare SonarQube Scanner environment" option needs to be enabled

In Maven build step, Goals:

clean verify -B sonar:sonar
-Dsonar.projectKey=org.eclipse.cbi.examples:cbi-example-parent
-Dsonar.organization=eclipse-cbi
-Dsonar.host.url=${SONAR_HOST_URL}
-Dsonar.login=${SONARCLOUD_TOKEN}

sonar.projectKey and sonar.organization will need to be adapted individually.

Running mvn sonar:sonar in your Maven build will result in the following flow of actions:

The Maven SonarQube plugin will locally analyze code and generate reports from many analyzers
The Maven SonarQube plugin will push those reports to SonarCloud

Several Eclipse projects already have quality reports enabled. You can drill-down on code to see annotations on each class, or navigate through the different widgets on the dashboard to focus on specific issues.

Permissions

By default only Eclipse Webmaster can administrate the analysis projects on SonarCloud.io. If you need admin permissions on some analysis projects, please open a HelpDesk issue, specifying which analysis projects you want to administrate. The name of the analysis must be close enough to the project's name. If you are not the project lead, don't forget to ask for a +1.

Note

The initial documentation referenced Mickael Istria's blog entry at http://mickaelistria.wordpress.com/2012/10/08/sonar-at-eclipse-org/ . The information in it regarding the Eclipse process is outdated, but the article is still a good reading to understand how SonarQube works and what it can bring to you.

@@ Line 1: / Line 1: @@
+[[File:Sonarqube.png]]
 == About code quality analysis ==
@@ Line 10: / Line 12: @@
 * more welcoming to new contributors
-It is also a mandatory step for projects willing to enter the [https://polarsys.org/wiki/Maturity_Assessment_WG PolarSys Maturity Assessment], as the analysis process relies on code metrics extracted by Sonar.
+It is also a mandatory step for projects willing to enter the [https://polarsys.org/wiki/Maturity_Assessment_WG PolarSys Maturity Assessment], as the analysis process relies on code metrics extracted by SonarQube.
 === How? ===
-Code quality analysis mainly relies on a set of tools that look at your code and give you hints. The most famous tools are Findbugs, PMD, Checkstyle; but also code coverage tools such as Jacoco. JDT itself provides very powerful quality checks, but there are not enabled by default. You should go to Error/Warnings in preferences and replace all "ignore" by "Warning". You can (and should) enable such tools in IDE.
+Code quality analysis mainly relies on a set of tools that look at your code and give you hints. The most famous tools are Findbugs, PMD, Checkstyle; but also code coverage tools such as JaCoCo. JDT itself provides very powerful quality checks, but there are not enabled by default. You should go to Error/Warnings in preferences and replace all "ignore" by "Warning". You can (and should) enable such tools in IDE.
 Code quality can also be analyzed out of the IDE, running those tools and using their reports to find out the "hot spots" in your code.
-=== About Sonar ===
+=== About SonarQube ===
-[http://www.sonarsource.org/ Sonar] is an open-source product which is used to gather several metrics about code quality, put them all in a single dashboard, and provide some tips to help you making your code better, more sustainable, more reliable, less bugged.
+[https://www.sonarqube.org/ SonarQube] (formerly known as Sonar) is an open-source product which is used to gather several metrics about code quality, put them all in a single dashboard, and provide some tips to help you making your code better, more sustainable, more reliable, less bugged.
-Enable Hudson Sonar plugin on your job or running <tt>mvn sonar:sonar</tt> on your Maven build will result in the following flow of actions:
+[https://www.sonarcloud.io SonarCloud.io] is the "cloud"-version of SonarQube hosted by SonarSource.
-# Sonar will locally analyze code and generate reports from many analyzers
-# Sonar will push those reports to the Sonar dashboard
-== Setting up SonarQube for Eclipse.org projects ==
+== Setting up SonarQube/SonarCloud for Eclipse.org projects ==
-=== Usage ===
+{{important|Eclipse SonarQube server has been shutdown in early September 2020 | Due to relatively low demand and to reduce our maintenance overhead, we retired the Eclipse SonarQube server (https://sonar.eclipse.org/) in early September 2020. We will support projects to migrate to https://sonarcloud.io.<br> Please open a [https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/new HelpDesk issue] for this. }}
-Sonar can be found on https://dev.eclipse.org/sonar . [https://dev.eclipse.org/sonar/all_projects Several projects] already have quality reports enabled. You can drill-down on code to see Sonar annotations on each class, or navigate through the different widgets on the dashboard to focus on specific issues.
+If your project wants to use [https://www.sonarcloud.io SonarCloud.io], please open a [https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/new HelpDesk issue] to request it. Please specify for which exact project this should be setup.
-The project must have a [[Hudson|Hudson instance]]. See [[Hudson#Requesting_a_HIPP_instance|how to get a dedicated HIPP]]. You should first setup a normal build to make sure the project compiles correctly.
+The webmaster/releng team will create the respective [https://www.sonarcloud.io SonarCloud.io] repository for your project and add a SONAR_TOKEN to your project's GitHub repo or the SONARCLOUD_TOKEN to your project's Jenkins instance.
-Optional: it may be a good thing to add a sonar goal in your pom.xml, so you can run the sonar analyser whenever you want independently of the Hudson build.
+=== Usage ===
-There are two ways to setup Sonar on Hudson for your project, depending on the build tool used: Tycho builds can use the Sonar/Maven integration, while other tools (e.g. Buckminster) have to setup a SonarQube Runner build step.
+{{important|"Automatic analysis is only available for GitHub repositories and only for a subset of languages. Java, C#, C, C++, Objective-C, and most other compiled languages are not eligible for automatic analysis, while Javascript, Typescript, Python, and other interpreted languages are." <br /> See https://docs.sonarcloud.io/getting-started/github/#set-up-your-analysis}}
-You can check the SonarQube documentation for the plugin here:
+If the project's source code is hosted on GitHub, the built-in GitHub integration can be used for some languages (see https://docs.sonarcloud.io/getting-started/github/). Otherwise the project must have a [[Jenkins|Jenkins instance]] or use GitHub actions (see https://github.com/SonarSource/sonarcloud-github-action).
-* http://docs.sonarqube.org/display/SONAR/Configuring+SonarQube+Jenkins+Plugin
-* http://docs.sonarqube.org/display/SONAR/Triggering+SonarQube+on+Jenkins+Job
-=== Enable Sonar for your project: with Tycho ===
+See [[Jenkins#Requesting_a_JIPP_instance|how to get a dedicated JIPP]]. You should first setup a normal build to make sure the project compiles correctly.
-The only prerequisite for this method is to use [https://eclipse.org/tycho/ Tycho] as a building tool, which allows to automatically retrieve all information about the build and its dependencies.
+In Jenkins your build job needs to be modified as follows:
+*Job config
+**“Use secret text(s) or file(s)
+***Add -> Secret text
+****Select “SonarCloud token”
+****Variable: SONARCLOUD_TOKEN
-A dedicated job has to be defined for the quality analysis -- because you don't want to execute Sonar everytime the project is built. In the update center, install the Sonar plugin and restart the Hudson instance. In the job configuration, check the Sonar post-build action, click on advanced and fulfill the fields according to your project configuration. The following example screenshot shows the [https://hudson.eclipse.org/emfcompare/job/master-quality/configure configuration used by the emf-compare project].
+*"Prepare SonarQube Scanner environment" option needs to be enabled
-[[File:Hudson_sonar_emfcompare.png|SonarQube post-build action in Hudson]]
+*In Maven build step, Goals:
+<source lang="bash" style="border:1px solid;padding: 5px; margin: 5px;">
+clean verify -B sonar:sonar
+-Dsonar.projectKey=org.eclipse.cbi.examples:cbi-example-parent
+-Dsonar.organization=eclipse-cbi
+-Dsonar.host.url=${SONAR_HOST_URL}
+-Dsonar.login=${SONARCLOUD_TOKEN}
+</source>
+<code>sonar.projectKey</code> and <code>sonar.organization</code> will need to be adapted individually.
-Then [https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community post a new bug entry in the community bugzilla] to ask an administrator to add the Eclipse Sonar instance parameters to the Sonar plugin.
+Running <tt>mvn sonar:sonar</tt> in your Maven build will result in the following flow of actions:
+# The Maven SonarQube plugin will locally analyze code and generate reports from many analyzers
+# The Maven SonarQube plugin will push those reports to SonarCloud
-==== Specific tips for HIPP version >= 3.3.0 ====
-Warning: Since the Hudson version 3.3.0, the configuration needs to be changed to avoid a "Could not find or load main class MAVEN_OPTS" error. For that, you can follow the workaround of [https://bugs.eclipse.org/bugs/show_bug.cgi?id=474406#c2 comment 2 of bugzilla 474406]. In summary:
+[https://sonarcloud.io/organizations/eclipse Several Eclipse projects] already have quality reports enabled. You can drill-down on code to see annotations on each class, or navigate through the different widgets on the dashboard to focus on specific issues.
-* The Sonar plugin MAVEN_OPTS option have to be empty.
-* The MAVEN_OPTS parameter must be added as [https://bugs.eclipse.org/bugs/attachment.cgi?id=257608 String build parameter] with your settings
-=== Enable Sonar for your project: without Tycho ===
-The other way to setup Sonar is to use the Sonar Build step, which executes SonarQube Runner. In this case, some information needs to be provided manually for the configuration of the Sonar analysis (in comparison with the previous section, Tycho provides this data automatically).
-Setup a dedicated build job for the Sonar analysis. In the update center, install the Sonar plugin and restart the Hudson instance. Check that the plugin is correctly installed:
-[[File:Sonar plugin.png|SonarQube plugin Hudson]]
-Then [https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community post a new bug entry in the community bugzilla] to ask an administrator to setup the SonarRunner plugin.
-Check that the plugin is installed and the SonarRunner section configured:
-[[File:Sonar runner.png|SonarRunner configuration]]
-Check that the Sonar server section is correctly configured:
-[[File:Sonar server.png|Sonar server configuration]]
-As explained before, the build needs some information about your project and its modules, so you will need to create a file, typically named sonar-project.properties, with the following entries:
- sonar.projectKey=org.polarsys:org.polarsys.myproject
- sonar.projectName=MyProject
- sonar.projectVersion=0.1.1
- sonar.sources=src
- sonar.binaries=bin
-Then define the modules (components) that need to be analysed:
- sonar.modules=org.polarsys.myproject.common.mod1,org.polarsys.myproject.common.mod2
-And for each of them, define the projectBaseDir and projectName properties:
- org.polarsys.myproject.common.mod1.projectBaseDir=git/common/plugins/org.polarsys.myproject.common.mod1
- org.polarsys.myproject.common.mod1.projectName=org.polarsys.myproject.common.mod1
- org.polarsys.myproject.common.mod2.projectBaseDir=git/common/plugins/org.polarsys.myproject.common.mod2
- org.polarsys.myproject.common.mod2.projectName=org.polarsys.myproject.common.mod2
-Then in the sonar build job add a build step to execute SonarRunner with the properties file for your project:
-[[File:Hudson_sonar_build_step.jpeg|SonarQube build step in Hudson]]
 === Permissions ===
-Sonar is currently (and will remain) public to all and by default only Eclipse Webmaster can administrate the analysis projects. If you need admin permissions on some analysis projects, drop a bug on [https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Sonar bugzilla], specifying which analysis projects you want to administrate. The name of the analysis must be close enough to the project's name. If you are not the project lead your project, don't forget to ask him to +1 your request. The admin permissions will be granted for all committers on the project.
+By default only Eclipse Webmaster can administrate the analysis projects on [https://www.sonarcloud.io SonarCloud.io]. If you need admin permissions on some analysis projects, please open a [https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/new HelpDesk issue], specifying which analysis projects you want to administrate. The name of the analysis must be close enough to the project's name. If you are not the project lead, don't forget to ask for a +1.
 === Note ===
-The initial documentation referenced Mickael Istria's blog entry at http://mickaelistria.wordpress.com/2012/10/08/sonar-at-eclipse-org/ . The information in it regarding the Eclipse process is outdated, but the article is still a good reading to understand how sonar works and what it can bring to you.
+The initial documentation referenced Mickael Istria's blog entry at http://mickaelistria.wordpress.com/2012/10/08/sonar-at-eclipse-org/ . The information in it regarding the Eclipse process is outdated, but the article is still a good reading to understand how SonarQube works and what it can bring to you.
-== Infrastructure and maintenance ==
-Sonar is installed on a VM accessible from inside Eclipse infrastructure. The database is made accessible from Eclipse.org servers and has a user for Sonar, and another user for Hudson. When running the Hudson Sonar plugin, the plugin uses this user to push to the Sonar database the metrics about your project.
-=== Bugzilla ===
-* Open issues: https://bugs.eclipse.org/bugs/buglist.cgi?list_id=6604883&classification=Eclipse%20Foundation&query_format=advanced&component=Sonar&product=Community
-* User to follow to get notified of new bugs on Sonar component: sonar-inbox@eclipse.org
-=== Maintenance notes ===
-* Database requires to be tweak to add some "GRANT" permissions to the sonar user. Sonar could start otherwise.
-* March 2013: https://bugs.eclipse.org/bugs/show_bug.cgi?id=407658 . Removed big log file and restarted Sonar,
-* July 2013: Got an OutOfMemory on Sonar side while running Platform-Sonar job. Increased max memory in conf/wrapper.conf and restarted Sonar.
-* July 2013: No space left on device. A lot of big memory dumps files in bin/linux-x86-64 consumed half of disk space. Removed them
-* October 2013: Migration to SonarQube 3.7.1 to provide compatibility with Maven
-** https://bugs.eclipse.org/bugs/show_bug.cgi?id=417978 basic migration
-** https://bugs.eclipse.org/bugs/show_bug.cgi?id=418502 Issue with HTTPS
-** <tt>org.postgresql.util.PSQLException: ERROR: permission denied for relation permission_templates</tt> => Give permissions to hudson user with psql <tt>GRANT SELECT ON ALL TABLES IN SCHEMA public TO user; GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO user;</tt>
-* Reboot: <tt>INFO   | jvm 1    | 2014/01/24 06:06:27 | java.lang.OutOfMemoryError</tt>

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Difference between revisions of "SonarQube"

Latest revision as of 07:17, 16 May 2022

Contents

About code quality analysis

Why?

How?

About SonarQube

Setting up SonarQube/SonarCloud for Eclipse.org projects

Usage

Permissions

Note

Breadcrumbs

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Difference between revisions of "SonarQube"

Latest revision as of 07:17, 16 May 2022

Contents

About code quality analysis

Why?

How?

About SonarQube

Setting up SonarQube/SonarCloud for Eclipse.org projects

Usage

Permissions

Note