SonarQube Walkthrough

What?

  • Static code analysis tool that checks for code style, complexity, security, repetition, and other common issues
  • Supports many languages
  • Part of the GEOINT Services CI/CD stack
  • Integrated into our Jenkins pipelines for every project
  • The instance we use (UNCLASS) is located at https://sonar.gs.mil

Why?

  • Helps to enforce code quality, standards adherence, and readability
  • Combined, these efforts are meant to reduce future maintenance costs and ramp-up times for developers

Project setup

  • The Jenkinsfile as part of the nestjs-template does all of the required Jenkins setup for SonarQube support in your CI/CD pipeline
  • Create SonarQube-only project via https://my.gs.mil to create your project in SonarQube (typically done by CI/CD team or project owner)
    • Need to be sure the project uses the "Mayhem Way" quality gate

Basic of the SonarQube UI walkthrough

Wait?  So I have to push my code to find issues to fix?!?!

Enter: VS Code setup

Caveats

  • The current GEOINT Services instance of SonarQube is the developer edition which has limitations, most prominently:
    • Lack of multibranch reporting
  • Which means: Any Jenkins build for your project (on any branch) will overwrite the last report AND
  • Any resolution done through the SonarQube UI will NOT be persisted (eg. marking a false positive, etc)

Resources/Guide

SonarQube

By Joe Meilinger

SonarQube

  • 174