Measuring Code Quality with Sonar
8 min read
Overview
Table of Contents
Setup SonarQube
If you are using SAP Commerce versions prior to 6.7, there have been reported issues with using the SonarQube 6.5+ instructions. Therefore, we recommend using SonarQube 6.3 or 6.4.
For SAP Commerce 6.7+, we recommended using SonarQube 6.7 LTS. Note, there are differences in issue classification between SonarQube 6.4 and 6.7. For example, some issues considered bugs in SonarQube 6.4 are considered code smells in SonarQube 6.7.
- Download SonarQube and use the installation instructions to get the SonarQube service running on your operating system. For the rest of the article, we will assume you have set it up locally.
-
Once your SonarQube is running, go to http://localhost:9000 and log in with the default credentials:
-
Username: admin
-
Password: admin
You should change the default admin password and create new accounts for your users.
If you experience the SonarQube 'maintenance' web
page, your data might requires a migration or an upgrade. In this case, navigate to http://localhost:9000/setup and select
upgrade. Once complete, navigate back to http://localhost:9000. -
-
Navigate to http://localhost:9000/ and click the Create->Restore Profile button.
With the release of SAP Commerce 6.6 and moving forward, there are now SonarQube Quality Profiles embedded in the SAP Commerce download. The next step refers to its location. Even if you are not running SAP Commerce 6.6+, we recommend that you at least download SAP Commerce to get access to the profiles.
SAP Commerce 6.7+ also includes SonarQube Quality Profiles for other languages. You may want to repeat steps 3, 4 and 5 to import and set those profiles as default.
-
Navigate to {COMMERCE_ROOT}/build-tools/sonarqube/ and import the relevant profile (e.g. java-hybris-profile.xml)
-
Make sure it is set as the default Java profile.
-
Review the settings and adjust as needed. Key pages include http://localhost:9000/settings?category=java, http://localhost:9000/settings?category=exclusions, and http://localhost:9000/settings?category=technicaldebt.
-
In your local.properties, after updating, add the following properties (depending on your version):
If you are using SAP Commerce 6.7+, you can specify the extensions that you want to scan through
sonar.extensionsproperty (instead of specifying those you want to exclude throughsonar.excludeExtensions).sonar.projectName=<insert project name here> sonar.projectKey=<insert project name here> sonar.projectVersion=1.0 sonar.extensions=myextension1,myextension2,myextension3 #for SonarQube > 6.4 sonar.host.url=http://localhost:9000 sonar.login=bc5b59d08a24071f4b5d2281efd25f89d3ab54e5 #for SonarQube <= 6.4 sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance
If the SonarQube server is set to force user authentication, it may be necessary to set the
sonar.loginproperty with a user token sonar.language=java. - If you are not on SAP Commerce 6.6+, please see the workaround steps further down in this article.
-
In hybris/bin/platform, execute the following (assuming you have already executed setantenv to set your environment variables):
In SAP Commerce 6.7+, the
sonarAnt target has been deprecated in favor ofsonarcheck.ant sonarcheck
For SAP Commerce prior to 6.7:
ant sonar
-
Open your project dashboard in Sonar. Using the example project above, the URL would be http://localhost:9000/dashboard?id=<insert project name here>.
Using SonarLint to Check Code Quality Locally
SonarQube is great for showing a consolidated view of the state of code. However, it relies on running the ant targets discussed above. For a developer, having to run ant sonar while working on code can be quite time consuming. The solution for this is SonarLint . It is a free tool that works with many of the popular IDE's (Eclipse, IntelliJ, Visual Studio Code, Atom, etc.) to provide you with on the fly reports and explanations of potential bugs and code smells.
We recommend that each developer install and configure SonarLint for their local development environment, and that they have it point to a SonarQube instance using the instructions above. By pointing to a central SonarQube instance, you ensure the vulnerabilities reported align with the quality profile set up, so that they can be caught during active development.
To install and configure SonarLint, go to the SonarLint website. There, you will find "How-to" documents for the major IDE's it supports.
Ant Sonar Workaround (SAP Commerce <6.6)
Due to an issue with a deprecated library, the ant sonar target may not work for you if you are using a version of SAP Commerce older than 6.6. Instead, you will need to perform the following:
- Download https://binaries.sonarsource.com/Distribution/sonarqube-ant-task/sonarqube-ant-task-2.5.jar and place it into the config/customize/platform/resources/ant/sonar/lib folder.
- Copy platform/resources/ant/sonar.xml into /config/customize/platform/resources/ant.
-
In the copied file, update line 22 of sonar.xml
<path path="${platformhome}/resources/ant/sonar/lib/sonarqube-ant-task-2.5.jar" /> -
In the same sonar.xml file, find and replace all references of 'sonar.binaries' with 'sonar.java.binaries'
-
In the same sonar.xml file, find and replace all references of 'sonar.libraries' with 'sonar.java.libraries'
Conclusion
SonarQube is a powerful tool that can be leveraged to ensure your development code commits follow conventional coding best practices. Leveraging the sonar targets and rulesets that ship with SAP Commerce will help you create a baseline for code quality, allow you to continually monitor trends, and make it easier to quickly identify potential bugs and vulnerabilities. Additionally, you will be able to visualize how much technical debt you are accumulating with each commit.
