Control source code quality using the SonarQube platform

Introduction

Why SonarQube?

  • The support of Java, C, C++, C#, Objective-C, Swift, PHP, JavaScript, Python and other languages.
  • It provides reports of code duplication, compliance with the coding standards, unit tests coverage, possible errors in the code, density of comments in the code, technical debt and much more.
  • It saves the history of metrics and builds charts of the changes in the metrics over the time.
  • It provides a fully automated analysis: integrates with Maven, Ant, Gradle and common continuous integration systems.
  • Allows integration with such IDEs as Visual Studio, IntelliJ IDEA and Eclipse using the SonarLint plugin.
  • It provides integration with external tool: JIRA, Mantis, LDAP, Fortify and so on.
  • You can extend the existing functionality using third-party plugins.
  • It implements the SQALE methodology to evaluate the technical debt.

How SonarQube helps to assess the quality of the code

  • The quality model should be as simple as possible
  • Bugs and vulnerabilities should not get lost among the maintainability issues
  • Serious bugs and security vulnerabilities in the project should lead to the fact that the Quality Gate requirements aren’t met
  • Maintainability issues of the code are important too and cannot be ignored
  • The estimation of the remediation cost (using the SQALE analysis model) is important and should be carried out
  • 0 new bugs
  • 0 new vulnerabilities
  • technical debt ratio on the new code <= 5%
  • the new code coverage is not less than 80%
  • Bugs and potential bugs
  • Violation of coding standards
  • Code duplication
  • Insufficient unit tests coverage
  • Poor distribution of complexity
  • Spaghetti design
  • Too few or too many comments

Home page

Project metrics

Navigating the code and the bugs

Rules, Quality Profiles and Quality Gates

  • New bugs = 0
  • New vulnerabilities = 0
  • Technical debt ratio on new code <= 5%
  • Coverage of new code >= 80%

PVS-Studio and SonarQube

Conclusion

Useful links

--

--

--

The developer, the debugger, the unicorn. I know all about static analysis and how to find bugs and errors in C, C++, C#, and Java source code.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Unicorn Developer

Unicorn Developer

The developer, the debugger, the unicorn. I know all about static analysis and how to find bugs and errors in C, C++, C#, and Java source code.

More from Medium

Docker: Remove all stoped containers!

Debugging timezone issue in Java [Linux]

Kubernetes, for software developers (part 3)

Testing a web server : Part 1