Automating code analysis with sonarqube and docker

150458-most-popular-code-background-1920x1080-for-ipad-2-1

Who am I?

I don’t even know myself

My name is Yashlin and I am a software engineer currently specialising in web application development. I’ve worked with lots of different technologies ranging from the bleeding edge to legacy and I would like to add some simple but powerful tools to your arsenal. revectina como tomar

Why?

Who knows boet , suggest me something.

So what is static code analysis you ask? , I would define it as running checks on your code before it is executed , and the reason we want to do this is so we can establish the integrity and quality of code before we deploy it. ivermectin made my dog go blind

Think of it as code review but instead of an intimidating senior who might chew your face off because you used an extra variable , this process can be automated using some smart tools and rules and give you strategic feedback thereby improving your code and also enforcing a minimum standard across your coding projects

The tool we are going to be using is called SonarQube and it is an awesome open source library which has support for a bunch of languages while also being really easy to set up. Ill be using an angular project but theirs loads of other languages SonarQube supports , you can read more about it here:

https://www.sonarqube.org/sonarqube-8-2/?gclid=EAIaIQobChMI6Kisp4HS6AIVytDeCh1d_QHrEAAYASAAEgKxNfD_BwE

Note: Please pay attention to these blocks , there are various tips and tricks to getting this done seamlessly and ill add them in little blocks like this , I found this process to be pretty easy but there were some iffy moments.

Pre-requisites:

Stuff you need to know before we do the stuff 

  • Docker needs to be installed with the following images:
    -sonarqube
  • Foundational understanding of docker and the concepts of containerization
  • An Angular project to use as a test case for the static code analysis
  • Basic understanding of using terminals and executing commands on the terminal

Let’s Begin:

Finally , admin is boring.

  • Choose your favorite terminal , im going with powershell here because ill be working on a windows machine
  • Make sure docker is installed and fire up the service , we will be using Linux containers for our tutorial
  • As always the sufficient permissions needed to execute the various commands and scripts successfully.

Disclaimer:

Please don’t sue me if your house catches on fire 

This tutorial is not an introduction or a comprehensive tutorial on docker or the concept of containerization , we are going to be using docker to install the sonarqube libraries locally and even though the commands are not intricate , its still advised you have a basic understanding of whats going on.

Since I am no expert in the technology or concepts , what I have done is aggregate a bunch of tutorials, blogs and videos and gone through it from a beginners perspective. I think this helps me relay the material in the simplest way I can and help other beginners get involved in new technologies and concepts. I have credited all the blogs , articles , videos in the reference section below 🙂 so dont just take my word for it!

Installing sonarqube locally and logging in

firstly lets navigate over to the following link:

https://hub.docker.com/_/sonarqube

The link above is the official page for sonarqubes docker image on the docker hub , its a really handy resource and we will be using it to help us get set up.

lets break down the commands

The first command we execute is: docker pull sonarqube , this will fetch the latest image for sonarqube which is what allows us to spin up it’s container

The second command we execute is: docker images , this will show you a list of all the images you have installed and you can use this to check that sonarqube has been installed correctly

Now that we have that set up , one of the links on the page is the quick set up guide , lets go there first:

https://docs.sonarqube.org/latest/setup/get-started-2-minutes/

Lets break down the commands

docker run -d –name sonarqube -p 9000:9000 sonarqube , basically this is going to run a container called sonarqube which is based on the sonarqube image we downloaded earlier , this will spin up the sonarqube server on port 9000

docker ps -a, this will list all the containers you currently have and their respective status , we use this command just to check the container is active.

Nows the simple part open your browser and navigate over to:

http://localhost:9000/

If everything worked correctly then you should be seeing the image above and you can go ahead and log in , the username/password is admin/admin and this will take you to the main dashboard

NOTE: This is not a production/development ready instance of sonarqube , the container has been set up in a way where the data is coupled to that specific container and wont persist after the container has been destroyed , I have chosen this way for ease of use and to demonstrate the concepts.

We can leave this running for now and we can come back to it later , we just need to complete one more thing before we can start analysing our code. ivermectin 1 for sale south africa

Installing the sonar scanner

Firstly lets navigate over to the link below:

https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/

NOTE: Here you can choose the package that corresponds to your system , I have chosen windows 64 bit as this is my system spec , once you have downloaded this scanner , you can unzip it into the location of your choice , for maintenance I have created a folder on my C: drive called sonar and extracted the contents into there.

Adding the scanner bin path to the system variables

Now that we have the scanner downloaded , we need to add it to the system so that it can be recognized. In windows we do this by pressing the start button and entering Edit System Variables

Step 1: select the option above

Step 2: Click on environmental variables

Step 3: Click on the path variable in system variables and press edit

Finally , create a new entry and attach the folder address of your sonar-scanner bin folder , at this point you should restart your machine to ensure the changes take effect

Creating a new project on sonarqube and submitting your code for analysis

Step 1: You can click on create new project above

Step 2: Give your project a unique project key

Step 3: Generate an authentication token for your project , this helps secure your code scans by creating a unique reference to your project and sonar-instance without needing to provide log-on details

Step 4: Once you have the token you can continue to the next step which is finalizing the configuration

Step 5: Here you select your code language and operating system and it will generate a command for you to run , copy that command

sonar-scanner.bat -D”sonar.projectKey=cv-generator-sonar” -D”sonar.sources=.” -D”sonar.host.url=http://localhost:9000″ -D”sonar.login=e1ade144e3ab2a78f2fd6af05f92354c3aeb6cf0″

Step 6: You can now go over to your project root directory , I have chosen an Angular project so this is what mine looks like:

Step 7: You can go ahead and execute that command in the terminal on your code editor

Step 8: After some time it will tell you that the execution has been successful and you can navigate back to your dashboard

Now you will be presented with a nice dashboard summarizing the analysis of your code. There’s some really interesting and useful information here , learning the ins and outs will be a blog on its own but this is a great starting point to improving and enforcing code quality and integrity!

References:

NOTE: As always , none of this would be possible without the selfless contribution of the community , I used the following material to help me understand and present the concepts in this blog effectively.

This is a great resource that helped me get a more comprehensive understanding of docker , if you have some time and want to know the technology then I fully recommend this

Glossary:

Static code analysis: Static program analysis is the analysis of computer software that is performed without actually executing programs, in contrast with dynamic analysis, which is analysis performed on programs while they are executing.

SonarQube: SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.

Docker: is a set of platform as a service products that uses OS-level virtualization to deliver software in packages called containers. Containers are isolated from one another and bundle their own software, libraries and configuration files; they can communicate with each other through well-defined channels

Linux Container: A Linux container is a set of one or more processes that are isolated from the rest of the system. All the files necessary to run them are provided from a distinct image, meaning that Linux containers are portable and consistent as they move from development, to testing, and finally to production

Containerization: is the process of packaging an application along with its required libraries, frameworks, and configuration files together so that it can be run in various computing environments efficiently

Docker Hub: is a service provided by Docker for finding and sharing container images with your team.

Environment Variables: is a dynamic-named value that can affect the way running processes will behave on a computer.They are part of the environment in which a process runs.

About the Author