SonarQube Walkthrough
What?
Static code analysis tool that checks for code style, complexity, security, repetition, and other common issues
Supports many languages
Part of the GEOINT Services CI/CD stack
Integrated into our Jenkins pipelines for every project
The instance we use (UNCLASS) is located at
https://sonar.gs.mil
Why?
Helps to enforce code quality, standards adherence, and readability
Combined, these efforts are meant to reduce future maintenance costs and ramp-up times for developers
Project setup
The Jenkinsfile as part of the nestjs-template does all of the required Jenkins setup for SonarQube support in your CI/CD pipeline
Create SonarQube-only project via https://my.gs.mil to create your project in SonarQube (typically done by CI/CD team or project owner)
Need to be sure the project uses the "Mayhem Way" quality gate
Basic of the SonarQube UI walkthrough
https://sonar.gs.mil
Wait? So I have to push my code to find issues to fix?!?!
Enter: VS Code setup
Install the SonarLint extentsion
Generate your personal token in SonarQube
My Account -> Security -> [Enter a token name] -> "Generate"
Save your token! After creation, you won't be able to retrieve it, but you can easily generate a new one.
See
https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarlint-vscode
for more info
Caveats
The current GEOINT Services instance of SonarQube is the developer edition which has limitations, most prominently:
Lack of multibranch reporting
Which means: Any Jenkins build for your project (on any branch) will overwrite the last report AND
Any resolution done through the SonarQube UI will NOT be persisted (eg. marking a false positive, etc)
Resources/Guide
https://usms.nga.mil/confluence/display/SPYKE/SonarQube
Made with Slides.com