SonarQube™ is the leading open-source tool for continuously inspecting the quality and security of your code while empowering development teams. It analyzes over 25 popular programming languages, including Java, C#, VB.Net, JavaScript, TypeScript, and C++. In short, SonarQube™ is the platform par excellence for static analysis of source code.
SonarQube integrates into the existing workflow’s build and packaging phases, helping you detect problems in your code to facilitate continuous inspections of your projects.
Download and install the SonarQube server: The installation process will depend on your operating system. You can find detailed instructions for installing SonarQube on various operating systems in the SonarQube documentation: https://docs.sonarqube.org/latest/setup/install-server/
Here are the tools and fundamental concepts that you should know.
SonarScanner
SonarScanner is a command-line tool to analyze source code and sends the results to SonarQube. In short, it is a code analysis tool for a local project.
Source code that complies with defined quality standards
Rules and criteria for evaluating the quality of the code and determining if the established objectives are met.
For C#, SonarScanner for .NET is the recommended way to launch an analysis for projects built with MSBuild or dotnet. It is the result of a collaboration between SonarSource and Microsoft.
For Java, SonarScanner for Maven is recommended as the default scanner for your project. And if you use Gradle, there is the option of SonarScanner for Gradle, which is an easy way to start the scan. SonarScanner for Ant provides a task that allows analysis integration for projects with Apache Ant.
There are also scanners for Azure DevOps and Jenkins.
SonarLint
SonarLint is an IDE extension that provides on-the-fly feedback to developers on new bugs and code smells, allowing them to detect and fix issues as they write code. It is available for many popular IDEs, including Visual Studio, Eclipse, IntelliJ, and VS Code, and it integrates with SonarQube and SonarCloud for centralized issue tracking and reporting.
SonarLint offers many of the same analysis rules as SonarQube, including security, reliability, and maintainability checks. However, SonarLint performs these analyses directly in the IDE, providing instantaneous feedback to developers as they write code rather than waiting for the code to be checked into a shared repository for analysis by a centralized system like SonarQube.
Key concepts of SonarQube
Within SonarQube, there are Quality Profiles and Quality Gates, which are critical tools that allow development teams to ensure that their code meets the desired quality and security standards before the product is released to the market or production.
A Quality Profile is a custom set of analysis rules used to evaluate the code quality in a specific project. These rules are divided into different categories, such as bugs, security, code style, and complexity, and developers can enable or disable individual rules to tailor them to the specific needs of their project.
A Quality Gate in SonarQube is a set of rules and criteria used to measure code quality and ensure that the established objectives for publication are met. Developers can create multiple Quality Gates and tailor them to the specific needs of their project, setting different conditions for each one.
