SonarQube and Java

SPAZIO IT –
SonarQube and Java
Spazio IT
SonarQube
And
Java
Maurizio Martignano
Spazio IT – Soluzioni Informatiche s.a.s
Via Manzoni 40
46030 San Giorgio di Mantova, Mantova
http://www.spazioit.com
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
1
Agenda
 SonarQube
 Tools
 IDEs
 Continuous Integration
 Hands on the Platform
 Processes
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
2
SonarQube
Code Quality Platform
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
3
SonarQube – What is it?
 SonarQube is an open source Web Application
(http://www.sonarqube.org) which
– Takes in input a set of source code files and a set of
analyses results (produced by external tools).
– Stores both sources and results in a database.
– Makes available the gathered information via a
dynamic website where the results are shown in the
context of the code itself.
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
4
SonarQube – What is it?
Source Code
Files
SonarQube
Engine
Analyses
Results
SonarQube
Database
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
5
SonarQube / Plugins / Sensors
Plugin-1
e.g. Ada
Pre-Processing
e.g. scanning
and parsing
Sensor-1
eg. CppCheck
SonarQube
Plugin-I
Sensor-J
e.g. C/C++
e.g. PC-Lint
Sensor-M
e.g. GCOV
Plugin-M
e.g. Java
Post-Processing
e.g. CPD, Decorators
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
6
SonarQube – There’s more
 Analyses on the same code base can be performed at
different moments in time and SonarQube keeps track of
the changes/evolution.
 The problems found during analyses (a.k.a. issues) can be
managed directly from within the system itself, e.g.
– Identifying false positives
– Assigning issues to developers
– Checking their status (if they have been solved)
– …
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
7
SonarQube - Screenshots
http://sonarsrv.spazioit.com/
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
8
SonarQube - Screenshots
http://sonarsrv.spazioit.com/
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
9
SonarQube - Screenshots
http://sonarsrv.spazioit.com/
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
10
SonarQube - Screenshots
http://sonarsrv.spazioit.com/
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
11
SonarQube = Tools (+ Platform)
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
12
Tools Classification
Testing
(U, I, A)
Dynamic Analysis
Coverage
Real Time Analysis
Tools
Patterns Matching
Standards / Guidelines
Bugs Finding
SD Stuff, e.g.:
Model Checking,
Abstract
Interpretation
Metrics
Quality Models (?)
Static Analysis
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
Education / Learning
13
Tools: Java
JUnit
Dynamic Analysis
Cobertura, Clover
ThreadSafe
Tools
Patterns Matching
Checkstyle
SonarQube JavaPlugin
FindBugs, PMD
Opal, Soot,
JPF,
?
Static Analysis
SonarQube JavaPlugin
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
Education / Learning
SonarQube
SqualePlugin
14
SonarQube Integration with IDEs
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
15
SonarQube and Visual Studio
(C/C++)
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
16
SonarQube and Eclipse (Java)
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
17
SonarQube and Eclipse (C/C++)
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
18
SonarQube and Oracle
JDeveloper (Java)
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
19
SonarQube and Continuous
Integration
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
20
SonarQube and Jenkins
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
21
SonarQube and Jenkins
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
22
SonarQube and Jenkins
 Running SonarQube
Analyses:
– Sonar-Runner
– Maven
– Ant
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
 Where?
– SonarQube analyses
can be distributed.
– Jenkins and all the
others CI systems
allow for distributed
execution of builds and
build steps.
– The analyses should
take place where the
code is.
23
Hands On the Platform…
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
24
Processes
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
25
Who does what?
 All nowadays Integrated Development Environments
(IDEs) like GNAT GPS 2016, Visual Studio 2013, Eclipse
Luna, offer some form of Code Analysis.
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
26
Who does what?
 IDE’s analysis tools are to be used by software developers
during their everyday work.
 SonarQube analyses are more for the «quality people» and they
are not supposed to be executed everyday, but rather at
specific /well defined moments in the software development
life cycle.
 SonarQube analyses can also be used by software developers
to:
– Execute project defined analyses
– Complement the IDE analysis capabilities
– Increase the “awareness” on the programing language
(Educational)
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
27
When?
 SonarQube analyses should be performed after any
«significant» delivery in a software development project,
e.g. using ECSS 40 terminology, at:
– CDR
– QR
– AR
 In maintenance projects SonarQube analyses should be
performed after any «significant» new delivery, e.g.
supposing a versioning like:
major.minor[.build[.revision]]
After every «minor» delivery.
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
28
Thank you for your time!
Software
Spazio IT
October 2016
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
29