Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Input

Perform automatic code analyze is becoming increasingly popular among developers, thanks to its benefits. The most obvious, it helps developer to write more clean and understandable code. In addition, this analysis helps to trace potential bugs and problems automatically, without expending effort on writing tests. It also helps to find duplicate code.

Perform an analysis is usually simple and fast.  Many of these can be integrated with software for continuous integration. To perform an analyze, it is obviously necessary an access to source code. Analyzer must scan all source code: without it, there is no way to perform test.

A tester should read, if possible, all documentations about code and its development procedure, to understand the history of its development. With this information, the tester can make predictions about the possible outcome of analyze.

Developers who make use of automatic analysis of the code will improve their coding skills, learning from their mistakes.

An automatic source code review had even benefits with DevOps. These checks allows migrating new code into production with a fast and reliable inspection. Positive effects occur even on budget. A bad-written code has a cost of maintenance that can erode software value. Usually, about 20% of the average budget is to support the development. Actual studies have indicated that well written code comes in around 5%.

 

Procedures

SonarQube is an open source platform for continuous inspection of code quality.

It covers lots of languagesJavaC/C++Objective-CC#PHPFlexGroovyJavaScriptPythonPL/SQLCOBOL, etc…

After a test, Sonar offers reports and metrics, like duplicated codecoding standardsunit testscode coveragecode complexitypotential bugscomments and design and architecture. It implements SQALE methodology to compute technical debt.

It even provide metrics history, evolution graphs and differential views.

Sonar can be integrates with MavenAntGradlecontinuous integration tools (Like Atlassian Bamboo or Jenkins…),  Eclipse development environment and other external tools (JIRAMantisLDAPFortify, etc.). It is expandable with the use of plugins.

Sonarqube is made of three parts:

-          Sonarqube Server

-          Sonarqube Client

-          Source code

Server sonarqube, having the database in the analysis and the web interface, must be accessible from the client machines.

All instruction for Sonarqube server installation is available here: http://docs.sonarqube.org/display/SONAR/Installing+the+Server

Sonarqube client contains bin file for execution and configuration files.

Bin file is executed from the folder containing the source code. To function, the folder where you run must be a file sonar.properties, described below.

Configuration file contains the information to access the database server sonarqube, such as address, login and password, version ...

Once Sonarqube environment is ready (client and server), the final part is to prepare sonar.properties file with project information. Besides containing information such as project name, version, and description, this file may contain paths to be excluded from test, or software language to analyze (in case you have more than one language, otherwise languages are identified all).

Ouput

Sonarqube produces a list of metrics and issues after performing a test.

Metrics are useful for understand information like how many LoC, how many lines of comments, duplications and many more.

Issues gave useful information about code. Every tag represents a defined problem in source code. It is not easy to define which issues are useful for analysis of the code and which are not.

For example, issues about variable name that does not comply with standard are not much useful information. Issues about function too long or with too many cycles are more useful, because we can understand that code is not clear or easy to understand.

Here's a list of sonarqube tags:

TagsExplanation
Brain-overloadThose issues are related to difficult code, deep nested cycle
Bad-practice

the code likely works as designed, but the way it was designed is widely recognized as being a bad idea

Bug

Issues about something wrong in code and it will probably affect production (bad variable use, unit test failed…)

CERTrelated to CERT standard
Clumsy

extra steps are used to accomplish something that could be done more clearly and concisely. (E.G. calling .toString() on a String)

Confusingwill take maintainers longer to understand than is really justified by what the code actually does
Conventioncoding convention - typically formatting, naming, whitespace...
CWE

relates to Common Weakness Enumeration

Designthere is something questionable about the design of the code
Lock-inenvironment-specific features are used
MISRArelates to MISRA standards
OWASPrelates to OWASP Top Ten security standards
Pitfallnothing is wrong yet, but something could go wrong in the future; a trap has been set for the next guy, & he'll probably fall into it and screw up the code
Sans-top25relates to the SANS Top 25 Coding Errors
Securityrelates to the security of an application
Suspiciousit's not guaranteed that this is a bug, but it looks suspiciously like one. At the very least, the code should be re-examined & likely refactored for clarity
Unpredictable the code may work fine under current conditions, but may fail erratically if conditions change
Unused

unused code, E.G. a private variable that is never used

User-experience

There's nothing technically wrong with your code, but it may make some or all of your users hate you

Issues are divided into 5 category:

Blocker

This issue affects operations and security. These might make the whole application unstable in production.

Critical

This issue affects operations and security. These might lead to an unexpected behavior in production without affecting the integrity of the whole application.

Major

This issue might have a substantial impact on productivity.

Minor

This issue might have a potential and minor impact on productivity.

Info

Not known or yet well-defined security risk or impact on productivity.