Top interview questions and answers for SonarQube

The SonarQube is a web-based open source platform used to measure and analyses the source code quality. The Code quality analysis makes the code more reliable and more readable.

The SonarQube is written in java but it can analyze and manage code of more than 20 programming languages, including c/c++, PL/SQL, Cobol etc. through plugins. The Plugins extend the functionality of SonarQube. About More than 50 plugins are available.

The SonarQube is maintained by SonarSource.

Interview questions and answers for SonarQube:-

  1. Is SonarQube Replacement for Checkstyle, PMD, FindBugs?

YES and NO

2. Why Yes?

Sonar will run Check Style, Find Bugs and PMD, as well as a few other “plugins” such as Coverture (code coverage) by default for Java projects. The main added value, however, is that it stores the history in a database. You can then see the trend. Are you improving the code base or are you doing the opposite? Only a tool with memory can tell you that.

3. Why Not?

SonarQube is currently on the way to deprecate PMD, Checkstyle and Findbugs and use their own technology to analyze Java code (called SonarJava). They do it, because they don’t want to spend their time fixing, upgrading (or waiting on it) those libraries (e.g. for Java 8), which for example uses outdated libraries. Well at least since SonarQube 6.3+ it seems to be that Findbugs is (at the moment) no longer supported as a plugin.

4. What is the SonarQube Plugins available which can be integrated with Eclipse, IntelliJ IDEA, Visual Studio, Visual Studio Code, and Atom?

SonarLint is an extension to your favorite IDE that provides on-the-fly feedback to developers on new bugs and quality issues injected into their code.

5. Is it right definition of Sonarqube?

SonarQube (formerly Sonar) is a quality management platform focusing on continuous analysis of source code quality.

6. Which is not a severities in this list

  • Blocker
  • Critical
  • Major

7. Is it right defintion of SonarQube Scanners?

The SonarQube Scanner is recommended as the default launcher to analyze a project with SonarQube.

YES

8. How to extend the functionality of SonarQube?

Modules

Plugins (Ans)

Extension

Ads on

9. Which statement is correct?

Sonar will run CheckStyle, FindBugs and PMD by default for Java projects (Ans)

Sonar will run Checkmate by default for Java projects

Sonar will run FindIssue by default for Java projects

Sonar will run PMDtest by default for Java projects

10. Which is not an axis of code quality in SonarQube?

  • Architecture and Design
  • Complexity
  • Potential bugs
  • Code Coverage

11. What is the prerequisite for SonarQube Installation?

  • Java
  • DOTNET
  • JavaScript
  • Php

12. Which is not part of Code Technical Review in SoanrQube?

  • Confirm
  • Change Severity
  • Resolve
  • Submited

13. What is not a search criteria for the rules in SonarQube?

  • Language
  • Type
  • Tag
  • Develop

14. Which is the not found in sonar-project.properties?

  • sonar.projectVersion
  • sonar.sources
  • sonar.code
  • sonar.language

15. Which property should be decalred for SonarQube Project base dir?

  • sonar.projectBaseDir
  • sonar.working.directory
  • sonar.basedir
  • sonar.projectdir

16. Which property should be decalred to tell SonarQube which SCM plugin should be used to grab SCM data on the project

  • sonar.scm.provider (Ans)
  • sonar.scm
  • sonar.git
  • sonar.version

17. Which property should be decalred to tell SonarQube log level?

  • INFO
  • DEBUG
  • TRACE
  • ERROR

18. Which is not supported Log Level in SonarQube?

sonar.log.level

sonar.verbose (Ans)

sonar.log

sonar.loglevel

19. Is it right definition of Code Smell? A maintainability-related issue in the code. Leaving it as-is means that at best maintainers will have a harder time than they should making changes to the code. At worst, they’ll be so confused by the state of the code that they’ll introduce additional errors as they make changes.

YES

20. Is it right definition of Coding Rule? A good coding practice. Not complying to coding rules leads to quality flaws and creation of issues in SonarQube. Coding rules can check quality on files, unit tests or packages.

YES

21. Is it right definition of Analyzer? A client application that analyzes the source code to compute snapshots.

YES

22. Which is not severities in Sonarqube?

  • Options
  • Blocker
  • Major
  • Critical
  • Issues

23. Is it possible to Copy the rules from one profile to another?

YES

24. Is it possible to Copy a profile from one SonarQube instance to another?

YES

25. What is SonarQube?

Sonar is a web based code quality analysis tool for Maven based Java projects. It covers a wide area of code quality check points which include: Architecture & Design, Complexity, Duplications, Coding Rules, Potential Bugs, Unit Test etc.

26. Why use SonarQube?

Sonar covers the 7 sections of code quality

  • Architecture and Design
  • Unit tests
  • Duplicated code
  • Potential bugs
  • Complex code
  • Coding standards
  • Comments

27. What are the advantages of using SonarQube?

  • SonarQube is open source
  • SonarQube supports for various languages like Java, C#
  • SonarQube reports for duplicate code, unit testing, code coverage, code complexity historical
  • We can integrate SonarQube with build tools like ant, gradle
  • SonarQube has Eclipse plugin like Sonarlint
  • SonarQube supports external plugins like plugin for ldap

28.  What are Quality Profiles in SonarQube?

 The Quality Profiles service is central to SonarQube, since it is where you define your requirements by defining sets of rules (ex: Methods should not have a Cognitive Complexity greater than 15).

Ideally, all projects will be measured with the same profile for any given language, but that’s not always practical. For instance, you may find that:

The technological implementation differs from one application to another (for example, different coding rules may apply when building threaded or non-threaded Java applications). You want to ensure stronger requirements on some of your applications (internal frameworks for example).

29.  What are Quality Gates in SonarQube?

 A quality gate is the best way to enforce a quality policy in your organization. It’s there to answer ONE question: can I deliver my project to production today or not? In order to answer this question, you define a set of Boolean conditions based on measure thresholds against which projects are measured. For example:

No new blocker issues Code coverage on new code greater than 80% Etc. Ideally, all projects will be verified against the same quality gate, but that’s not always practical. For instance, you may find that: Technological implementation differs from one application to another (you might not require the same code coverage on new code for Web or Java applications). You want to ensure stronger requirements on some of your applications (internal frameworks for example). Etc.

Which is why you can define as many quality gates as you wish. Quality Gates are defined and managed in the Quality Gates page found in the top menu.

30. What is role of database in SonarQube?

 Sonar uses a Derby or H2 as default database. When running Sonar, it says that these databases may only be used for evaluation. We can change this default database and use our custom DB.

 31. Explain architecture of SonarQube?

SonarQube Architecture               

  32. How to create reports in SonarQube?

 To create reports using SonarQube

mvn clean install

mvn sonar:sonar -Dsonar.issuesreport.html.enable=true

33.  What is difference between SonarQube And SonarLint?

SonarLint:

SonarLint exists only in the IDE (IntelliJ, Visual Studio and Eclipse).

Its aim is to provide immediate feedback as you type in your code.

It focuses on what code you add or update for this function.

SonarLint is an agent that allow us to connect with this SonarQube and execute the analysis remotely.

SonarQube:

SonarQube is a central server which performs full analysis (triggered by the different SonarQube scanners).

The purpose is to give your code base a 360 ° view of the quality. To this end, it periodically analyzes all of the source lines of your project.

Both SonarLint and SonarQube depend on the same analyzers for static source code-most of which are written using SonarSource technology.

 34. Is SonarQube Replacement for Checkstyle, PMD, FindBugs?

By default for Java projects, Sonar will run CheckStyle, FindBugs and PMD, as well as a few other “plugins” such as Cobertura . The main added advantage is that it stores the history in a database.

These 3 tools are used by Sonar as plugins and the data from all three of these tools is applied with a value that displays graphs.

 35. What is difference between Sonar Runner and Sonar Scanner?

The old name for “Scanner” is “Runner.”

All you need to know about the different SonarQube Scanners is available in the Scanners section of the official documentation.

You can use below option,if you are stuck to Java 7:

SonarQube Runner (sonar-runner) up to version 5.5 of SonarQube

SonarQube Scanner (sonar-scanner) 2.6.1

36. What is SonarQube quality profile?

Quality Profiles are a core component of SonarQube, since they are where you define a set of rules that, when violated, should raise issues on your codebase (example: methods should not have a Cognitive Complexity higher than 15). Quality Profiles are defined for each language.

37.  What is SonarQube quality gates?

Quality Gates are the best way to ensure standards are met and governed across all the organization’s projects. Quality Gates can be described as a collection of threshold measures set on your project such as Code Coverage, Technical Debt Measure, Number of Blocker / Critical Issues, Security Rating / Unit Test Pass Rate and more.

38.  What is the use of Sonarqube database?

Sonar is a code quality checking tool. The database could be any relational database such as Oracle, MySQL etc. And it is used to store the results of the analysis which can be viewed with the tool’s UI.

39. Describe the architecture of the Sonar.

The core engine of the platform, Squid, is supported by additional code analyzers that Sonar organizes together to measure quality.

The diagram below shows the top-level components of the platform and how they interact:

40. SonarQube Architecture consist of mainly 4 components:

  • Sonar Scanner
  • Source Code
  • Sonar Analyzer
  • SonarQube Database

41. Why should we use SonarQube?

7 sections of code quality: Architecture and Design

  • Unit tests
  • Duplicated code
  • Potential bugs
  • Complex code
  • Coding standards
  • Comments

42. Why does SonarQube need a database?

SonarQube needs to talk to the database in order to save the results of the analysis.

The SonarQube Runner needs to talk to both the database and the web server. The SonarQube Runner is recommended as the default launcher to analyze a project with SonarQube. This means all the passwords should go to the database.

43. How to delete a project from SonarQube?

Login as administrator.

Go to Administration -> Projects -> Projects Management.

Select the Project(s) you want to DELETE.

Click on Delete button at top right corner.

44. Difference between New Integer vs valueOf?

Integer valueOf(int i) Returns a Integer instance representing the specified int value. If a new Integer instance is not required, this method should generally be used in preference to the constructor Integer(int), as this method is likely to yield significantly better space and time performance by caching frequently requested values.

Here is how the cache is initialized:

public static Integer valueOf(int i) {

    final int offset = 20;

    if (i >= -20 && i <= 21) { // must cache

        return IntegerCache.cache[i + offset];

    }

    return new Integer(i);

}

45. Mention basic steps for SonarQube processing ?

  • Developer develops code and sends its code into repository system like SCM, git.
  • An automatic build is fired in Continuous Integration Server and execution of SonarQube Scanner happens for SonarQube analysis.
  • Report is sent to SonarQube Server for processing.
  • SonarQube Server processes the report and stores the analysis report results in the SonarQube Database and displays the results in the UI.
  • Developers review, comment, challenge their Issues to manage and reduce their Technical Debt through the SonarQube UI.

46. What are rules in SonarQube?

  • SonarQube executes rules on source code to generate issues.
  • There are four types of rules: Code Smell (Maintainability domain)
  • Bug (Reliability domain)
  • Vulnerability (Security domain)
  • Security Hotspot (Security domain)

47. What languages does SonarQube support?

SonarQube includes support for the programming languages Java (including Android), C#, C/C++, JavaScript, TypeScript, Python, Go, Swift, COBOL, Apex, PHP, Kotlin, Ruby, Scala, HTML, CSS, ABAP, Flex, Objective-C, PL/I, PL/SQL, RPG, T-SQL, VB.NET, VB6, and XML.

48. What does SonarQube mean ?

Sonar is a web-based performance analysis tool for Java projects based on Maven. This covers a wide range of quality control points including:

  • Possible Bugs
  • Duplications
  • Architecture & Development
  • Coding Codes
  • Complexity
  • Unit Testing, etc.

SonarQube (formerly Sonar) is an open-source framework developed by SonarSource for continuous inspection of software performance to conduct automated reviews in 20 + programming languages with static code analysis to find bugs, software smells, and security vulnerabilities.

49. Why should SonarQube be used ?

There are two ways you can delete a project:

If you have admin rights, then you can delete the project from its configuration actions.

You can also remove a project from the “Project Management” tab if you are a SonarQube administrator.

50. What does SonarQube And Sonar Lint differ ?

SonarQube has a server associated with it.

SonarQube is a central server that processes full analyses which is triggered by the various SonarQube Scanners. Its purpose is to give a 360° vision of the quality of your code base. For this, it analyzes all the source lines of your project on a regular basis.

SonarQube is a server where you can host your projects and execute analysis

Sonar lint works more like a plugin.

Sonar Lint lives only in the IDE (IntelliJ, Eclipse and Visual Studio). Its purpose is to give instantaneous feedback as you type your code. For this, it concentrates on what code you are adding or updating.

Sonar Lint is an agent that allow us to connect with this SonarQube and execute the analysis remotely.

Both Sonar Lint and SonarQube rely on the same static source code analyzers – most of them being written using SonarSource technology. SonarQube also performs scans with 3rd party analyzers like find Bugs, check style, PMD etc. whereas Sonar Lint does not include those. Sonar Lint will not inherit those custom rules from SonarQube, secondly Sonar does not work on Test classes.

Here is Video link that will help you:-

Rajesh Kumar
Follow me
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x