Harith Sankalpa – Intern Software Engineeing
SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. [Wikipedia]
SonarQube platform consists of two main components. Sonar Scanner which scans your code and generates reports and SonarQube Server which provides a graphical interface to view and review your code and results of Sonar Scanner. These two components work in collaboration to complete their tasks.
In this article I am going to explain,
- How to setup a SonarQube server on your localhost.
- How to setup Sonar Scanner.
- How to configure a Node application for Sonar integration.
Please note that first two topics will be specific to a *nix development environment whereas the third topic will be common to any operating system.
1. Setup SonarQube Server
First, download and setup the SonarQube server application before starting work with Sonar Scanner.
Download the latest version or a previous version from https://www.sonarqube.org/downloads/ .
Note that the latest version, 7.9 (at September 2019) requires Oracle JRE/JDK 11 or OpenJDK 11. You can download SonarQube server 7.8 if you are using Oracle JDK 8 or OpenJDK 8 and don’t need to cope with the hassle of maintaining two environments. The steps mentioned will be common to both SonarQube versions 7.8 and 7.9.
Once the server application is downloaded, unzip the files. In my development environment I have placed SonarQube server in /opt/sonarqube/ .
Sonar server must be run as a non root user in a Unix environment as recommended by SonarSource themselves. You can create a new user for running sonar by following the below mentioned steps.
# create a user group for sonar users
sudo groupadd sonar
# create user named sonar without sign in options
sudo useradd -c "Sonar System User" -d /opt/sonarqube -g sonar -s /bin/bash sonar
# change ownership of SonarQube application file to sonar user
sudo chown -R sonar:sonar /opt/sonarqube
# activate sonar user by setting a password to it
sudo passwd sonar
To tell the SonarQube Server to run as the newly created “sonar” user, you edit the sonar.sh file located in “sonarqube/bin/*[os]*/” directory example: “/opt/sonarqube/bin/linux-x86–64/”. Find the line that says “RUN_AS_USER” and uncomment it by removing the pound sign in front of it. Enter the new username “sonar” as its value as follows.
NOTE: SonarQube uses an in-memory database to hold your scan results by default. But you can setup a database and configure SonarQube to store the scan results for persistent scan results recording. As this process is out of the scope for this article, I will not describe the process here, but you can definitely find a good tutorial online on how to do it.
Now, start the SonarQube server by executing sonar.sh file as follows.
./sonar.sh console #Enter the sonar user password once prompted.
Optional: The server starts in port localhost:9000 by default. But you can change the port number if port 9000 is in use. Open the file “sonarqube/conf/sonar.properties” file and search for the line “sonar.web.port”.
sudo gedit /opt/sonarqube/conf/sonar.properties
To change the web port of the SonarQube server, uncomment that line, and change the port number to any 4 digits of your choosing. Example:
2. Setup Sonar Scanner
Sonar scanner is needed to scan your code at the source code directory. Download the latest version of Sonar Scanner from https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/ .
Once you’ve downloaded the file, unzip the application.
Before you start scanning the code, be sure that SonarQube server is running in your localhost. Also, keep in mind that if you’ve changed the default port, you need to configure Sonar Scanner. To do this, open the file “sonar-scanner/conf/sonar-scanner.properties”.
sudo gedit /opt/sonar-scanner/conf/sonar-scanner.properties
Look for the line “sonar.host.url=http://localhost:9000” and uncomment and change the port number at the end of the URL address to the port number you set for the SonarQube server.
You need to add “sonar-scanner/bin” to the PATH variable to be able to be run from your source code directory. You can achieve this by adding the following line to the “.bashrc” file located in your $HOME directory.
After entering the above line, source “.bashrc” file to changes to take effect by running this command in the terminal.
Note: If you cannot find the file “.bashrc” try “ls -la” in the terminal in the $HOME directory. Files with names starting with . (dot) is hidden by default in a Linux based operating systems.
3. Configure a Node application for Sonar integration
First, you need to add a configuration file named “sonar-project.properties” to the root of your source code directory, for the project to be able to be scanned by Sonar Scanner.
Once you’ve created this file, add the following lines to it.
- projectKey: Unique string which enables SonarQube to identify the application
- projectName: Name of the application
- projectVersion: Version of the application
- language: The language the application is written in. If your Node project is written in Typescript use ‘ts’ instead of js
- sources: Directories that the source code is included in. You can remove this line if your code is in the root directory
- sourceEncoding: Encoding type of source code text
- exclusions: SonarQube will not scan the files with paths that matches the pattern provided here for code quality. I have included my test files here
- test.inclusions: Pattern of paths of test files
- coverage.exclusions: SonarQube will not consider files with paths that matches patterns provided here when calculating test coverage. This is where you include the test, mock and configuration files, and test coverage reports.
- testExecutionReportPaths: Path to the test report file. Note that SonarQube expects test reports to be in a specific format. Use a third party library (ex : mocha-sonar-reporter for Mocha) if your test framework does not naively support SonarQube. (This option is not essential to generate test coverage reports in SonarQube)
Scan Your Code
1. Check whether SonarQube Server is running. If it isn’t, start the server.
cd /opt/sonarqube/bin/*[os]* #navigate to the directory
./sonar.sh status #check status of SonarQube server
./sinar.sh console #start SonarQube server if not started
2. Now you can navigate to the root of your source code directory, where you created the “sonar-project.properties” file, and enter sonar-scanner in the terminal. Sonar Scanner will scan your code and generate a link to the report.
Before you start using SonarQube, you need to setup the SonarQube server and Sonar Scanner, and create a configuration file with data required for Sonar Scanner to successfully scan your code.
Consider adding .scannerwork folder to .gitignore (these files are not required to be added to Git, and will be generated automatically).