SonarQube Walkthrough
What?
- Static code analysis tool that checks for code style, complexity, security, repetition, and other common issues
- Supports many languages
- Part of the GEOINT Services CI/CD stack
- Integrated into our Jenkins pipelines for every project
- The instance we use (UNCLASS) is located at https://sonar.gs.mil
Why?
- Helps to enforce code quality, standards adherence, and readability
- Combined, these efforts are meant to reduce future maintenance costs and ramp-up times for developers
Project setup
- The Jenkinsfile as part of the nestjs-template does all of the required Jenkins setup for SonarQube support in your CI/CD pipeline
- Create SonarQube-only project via https://my.gs.mil to create your project in SonarQube (typically done by CI/CD team or project owner)
- Need to be sure the project uses the "Mayhem Way" quality gate
Basic of the SonarQube UI walkthrough
Wait? So I have to push my code to find issues to fix?!?!
Enter: VS Code setup
- Install the SonarLint extentsion
- Generate your personal token in SonarQube
- My Account -> Security -> [Enter a token name] -> "Generate"
- Save your token! After creation, you won't be able to retrieve it, but you can easily generate a new one.
- See https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarlint-vscode for more info
Caveats
- The current GEOINT Services instance of SonarQube is the developer edition which has limitations, most prominently:
- Lack of multibranch reporting
- Which means: Any Jenkins build for your project (on any branch) will overwrite the last report AND
- Any resolution done through the SonarQube UI will NOT be persisted (eg. marking a false positive, etc)
Resources/Guide
SonarQube
By Joe Meilinger
SonarQube
- 161