This page describes how to use both Bitbucket in combination with SonarQube to have your source code analysed. You are just a couple of simple steps away:
- Create a local copy of your repository on your PC
- Install the SonarQube scanner
- Run SonarQube and review the results
We guide you through the steps by referencing a simple "training" project in SonarQube named omarsWP9T2 (SonarQube key: DemoKey) which is a simple Java project (non-Maven, non-Gradle, etc).
For the sake of easy guidance throughout this manual, we use a handful of pseudo-names that help keeping your local setup aligned with SonarQube installation requirements
|Name of branch under consideration. Can optionally be used in combination with PATH_OF_REPOSITORY
|Pathname to your Git project (Github, BitBucket, etc)
|This name refers to the local installation directory of the scanner for SonarQube
|This name refers to the local installation directory of your project on your cumputer
|Your SonarQube token. This is usually created when a project is entered into SonarQube but can also be newly requested if needed.
Clone your Bitbucket repository
First you need to clone the Bitbucket repository to your local machine.
Clone your project repository
Prepare the SonarQube scanner
The following steps are nesessary to prepare the SonarQube scanner.
Install the SonarQube scanner
To install the scanner on your machine please follow instructions here.
When installed, the SonarQube scanner usually resides in a directory on your local machine. The installation directory of the scanner is usually different from the installation location of the development project. We will be referring to the installation directory of the scanner as SQ_SCANNER_INSTALL_DIR.
Create a token in SonarQube (optional step)
This step can be omitted when you have already created and SAVED your SonarQube token. If you have not done it before or if you have forgotten your SonarQube token, please follow the SonarQube description here for more info on generating tokens.
Remember your SonarQube token (now referred to as SONARQUBE_TOKEN). You will need it in the next step.
Edit the sonar-scanner.properties file
There is a variety of options, all of which serve to adjust your SonarQube scanner to your environment. These adjustments must be done in the file sonar-scanner.properties which can be found within the <SQ_SCANNER_INSTALL_DIR>/conf directory.
We recommend to work with the following parameters:
sonar-scanner.properties - example
Add the SonarQube scanner to you PATH variable
Add the executable directory of the SonarQube scanner (<SQ_SCANNER_INSTALL_DIR>/bin) to your PATH environment variable. Typical installation directories are:
- Linux (referred to as $PATH):
- Windows (referred to as %PATH%): C:\sonar-scanner\bin
You can verify your installation by opening a new command prompt/terminal window and executing the command
Your output should look similar to the following:
Test the PATH variable
Then, in order to run the scanner on a specific project, you need to do the following:
- Create a configuration file in the root directory of the project (SQ_PROJECT_LOCAL_INSTALL_DIR):
This file needs to have following properties:
sonar.projectKey=demo-omars-project# This is the ProjectKey found in the SonarQube list of projects
sonar.sources=. # Needs to point to the source files
sonar.java.binaries# This is the path to the
.classjava files to be analyzed
sonar-project.properties - example
Analyse your project
Run the SonarQube scanner
Now that you have the set up and files configured properly, all you need to do is to run the sonar-scanner from within the project's directory.
The command line should eventually show "EXECUTION SUCCESS", as depicted below:
View your project in SonarQube
That's all. Now you can go to the SonarQube web interface to view the results of the analysis:
A typical SonarQube analysis will include
- Home Page: provides a summary of the entire analysis. Here, Bugs, Vulnerabilities, Code Smells, Coverage and Duplication.
- SonarQube, based on its policies, performs a code analysis to find the issues in your code like conventions, security, performance, error-handling, etc.
- Depending on the policies, it raises issues for the user to address.
- Additionally, it provides the amount of effort required to address those issues.
- SonarQube also provides interesting graphical visualization of various statistics related to the analysis results.
- The Coverage report Helps you determine percentage of code covered by the unit test. It is the one which can help every product owner check in а few minutes how many unit tests are implemented for the project. It provides a graphical representation of each file's test coverage and indicating number of uncovered lines.
- Duplications: Displays duplicate blocks, lines and files.
SonarQube results in Bitbucket:
in Bitbucket you have to enable Sonar. This can be done from your Repository settings. On the left-hand side click on "Sonar" under ADD-ONS. This will open up the Sonar Settings page on the right, click on Sonar Enabled as shown below
Also, enable “Use new Sonar branching and pull request support” here. DO NOT FORGET TO SAVE
Then, if you go back to your repository main page you will be able to find Sonar analysis results at the top
You can click on the results and you will be redirected to the project issues section on SonarQube website
SonarQube is a powerful platform for continuous inspection of source code and various aspects pertaining to quality and best practices. Integrating SonarQube analysis into pull requests in Bitbucket server makes this very useful for developers. SonarQube's website has more information on the product.
Additionally, there is also an integration between GitLab CI and SonarQube: