SonarQube Walkthrough

What?

• Static code analysis tool that checks for code style, complexity, security, repetition, and other common issues
• Supports many languages
• Part of the GEOINT Services CI/CD stack
• Integrated into our Jenkins pipelines for every project
• The instance we use (UNCLASS) is located at https://sonar.gs.mil

Why?

• Helps to enforce code quality, standards adherence, and readability
• Combined, these efforts are meant to reduce future maintenance costs and ramp-up times for developers

Project setup

• The Jenkinsfile as part of the nestjs-template does all of the required Jenkins setup for SonarQube support in your CI/CD pipeline
• Create SonarQube-only project via https://my.gs.mil to create your project in SonarQube (typically done by CI/CD team or project owner)
  • Need to be sure the project uses the "Mayhem Way" quality gate

Basic of the SonarQube UI walkthrough

https://sonar.gs.mil

Wait?  So I have to push my code to find issues to fix?!?!

Enter: VS Code setup

• Install the SonarLint extentsion
• Generate your personal token in SonarQube
  • My Account -> Security -> [Enter a token name] -> "Generate"
  • Save your token!  After creation, you won't be able to retrieve it, but you can easily generate a new one.
• See https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarlint-vscode for more info

Caveats

• The current GEOINT Services instance of SonarQube is the developer edition which has limitations, most prominently:
  • Lack of multibranch reporting
• Which means: Any Jenkins build for your project (on any branch) will overwrite the last report AND
• Any resolution done through the SonarQube UI will NOT be persisted (eg. marking a false positive, etc)

Resources/Guide

• https://usms.nga.mil/confluence/display/SPYKE/SonarQube