SonarQube

SonarQube is an open source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities.

sonar-project.properties file

This file needs to be located in the root of the repository you want to have analysed. For example:

# Project Key (required)
sonar.projectKey=test-spring-boot

# Project Name (optional, this is what is shown in the main list)
sonar.projectName=test-spring-boot

# Comma-separated paths to directories with sources (required)
sonar.sources=src

# Forced Language (optional)
sonar.language=java

# Encoding of the source files (optional but recommended as default is ASCII)
sonar.sourceEncoding=UTF-8

# Plugin-specific settings
sonar.java.binaries=build/classes
sonar.java.libraries=build/libs
sonar.junit.reportPaths=build/test-results/test

The general settings are documented at https://docs.sonarqube.org/display/SONAR/Analysis+Parameters. Plugin-specific parameters can be found in the docs for each plugin, e.g. https://docs.sonarqube.org/display/PLUG/Java+Plugin+and+Bytecode.

Scanning in Jenkins pipelines

There’s a prebuilt stage (odsComponentStageScanWithSonar) that you can use, see https://www.opendevstack.org/ods-documentation/ods-jenkins-shared-library/latest/index.html for details.

Scanning locally: SonarLint IDE Plugin

The team behind SonarQube also published SonarLint, a plugin currently available for IntelliJ, Eclipse, Visual Studio, VS Code and Atom that lets you scan while coding in your IDE. It also integrates with a SonarQube Server, so that you can scan with the servers rule settings. For further information please see https://www.sonarlint.org/intellij/howto.html. For the server connected mode, the SonarQube URL has to be set to your SonarQube deployment.

Scanning locally: SonarQube Docker Container

Be aware that this does not connect you with the SonarQube Server in OpenShift, therefore you might have other rule settings locally than the ones set on server. That said, here’s what you need to do on your host to have a local SonarQube instance:

docker pull sonarqube
docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube
./gradlew sonarqube

Running these commands will let you see at http://localhost:9000 your project reports, for any branch. Please, note that you are not running with an embedded database in this case, so it is only for temporary testing, do not expect historic report.