In this article, I am writing up detailed steps on how you scan your code with SonarCloud by running maven sonar locally.
It's a very important phase, where we should configure sonar quality gates at very early stage of the development, so as to eliminate last time surprises!
More importantly, the point is, if you do sonar configuration at later stage then fixing sonar issues becomes more complex due to high code density and then you will have to perform more regression and integration tests to make sure that sonar fixes are not breaking existing functionalities. Hence, get sonar configured at early stage and FAIL FAST!
Let's get started,
1) SonarCloud Configuration
This involves below steps,
Creating an organization,
Adding project to your organization,
Generating security token
Before you being, go to https://sonarcloud.io and create your account.
Once you logged in, follow below steps
Creating an organization
A) On the top right, click on the + icon and select "Create New Organization"
B) You will see screen as below, fill up the details and click "continue"
C) On the next screen, select a free plan and click on "create organization"
D) You will see screen as below,
Adding project to your organization,
E) Click on "Create New Project" and on the next screen, you will have two tabs "select repositories" and "create manually"
you can select your github repository or create project manually.
If you don't have your github project, that's fine, go ahead with selecting option, "Create Manually" and enter below details and click "Create"
Organization - <Write org name, which we just created on step 1.B above >
Project Name - < any name you like>
Project Key- < this will be value of groupId.artifactId from your pom.xml >
F) Once you create project into your organization, you will see screen as below.
Generating security token
G) Click on "Configure Analysis" from above screen, and you will see below screen
H) Generate the token and then copy your token. On the next screen, you will see option to choose your project language and build technology.
Once you select maven or gradle, it will show your the command to run sonar with maven or gradle, which I have explained in below in "Using the Code" section.
This ends all your SonarCloud configuration, Let's move next and see how we can generate sonar report on the SonarCloud by running maven on local project.
2) Using the Code
Step 1:- Add sonar dependency
Go to your pom.xml and add the below plugin to enable SonarQube on your project.
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.3.0.603</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>sonar</goal>
</goals>
</execution>
</executions>
</plugin>
Step 2:- Run below command to scan your code against the SonarCloud Server
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.organization=<organization-name created on step 1.B above> \
-Dsonar.login=<token generated on step 1.G above>
Step 3: - Analyze maven output
You will see code is compiling and all your test cases running
Spring Application starting and running all the integration test cases written using ZeroCode framework.
All your test cases passed and now maven sonar plugin doing the magic and scanning your code against sonar rules.
You can see in highlighted text that, sonar sensors are running on the code, like JoCoCoSensor, checking Vulnerabilities, Java securitySenor etc etc.
Finally, you see build is success and you can see the report on the SonarCloud.
Notice now that, on the SonarCloud, you can see your project is now showing up the code quality metrics. Just refresh your project on SonarCloud and see below metrics.
Click on the project and look into the details of the reported issues,
Fix issues, run mvn sonar again on the local and when you see code is clean, then you are all good for commit->push.
Hope this helps. Leave your thoughts on the comments section.
No comments:
Post a Comment