Slide 1
Most trusted JOB oriented professional program
DevOps Certified Professional (DCP)

Take your first step into the world of DevOps with this course, which will help you to learn about the methodologies and tools used to develop, deploy, and operate high-quality software.

Slide 2
DevOps to DevSecOps – Learn the evolution
DevSecOps Certified Professional (DSOCP)

Learn to automate security into a fast-paced DevOps environment using various open-source tools and scripts.

Slide 2
Get certified in the new tech skill to rule the industry
Site Reliability Engineering (SRE) Certified Professional

A method of measuring and achieving reliability through engineering and operations work – developed by Google to manage services.

Slide 2
Master the art of DevOps
Master in DevOps Engineering (MDE)

Get enrolled for the most advanced and only course in the WORLD which can make you an expert and proficient Architect in DevOps, DevSecOps and Site Reliability Engineering (SRE) principles together.

Slide 2
Gain expertise and certified yourself
Azure DevOps Solutions Expert

Learn about the DevOps services available on Azure and how you can use them to make your workflow more efficient.

Slide 3
Learn and get certified
AWS Certified DevOps Professional

Learn about the DevOps services offered by AWS and how you can use them to make your workflow more efficient.

previous arrow
next arrow

What is SonarQube and How it works? An Overview and Its Use Cases

Spread the Knowledge

History & Origin of SonarQube?

Simon Brandhof starts developing the Sonar platform by integrating best-of-breed open source tools for Java. The two of them are joined in September 2007 by Olivier Gaudin, who was enthused by the Sonar platform’s vision and starts contributing to it.

Back in 2007, when first lines of code were created, the founders of SonarQube (originally called Sonar) had a dream to one day provide every developer the ability to measure the code quality of his projects. Their motto: “Continuous Inspection must become mainstream as Continuous Integration”

Covering 27 programming languages, while pairing-up with your existing software pipeline, SonarQube provides clear remediation guidance for developers to understand and fix issues and for teams overall to deliver better, safer software. With over 170,000 deployments, helping small development teams as well as global organizations, SonarQube provides the means for all teams and companies, around the world, to own and impact their Code Quality and Security.

Back in 2007, when first lines of code were created, the founders of SonarQube (originally called Sonar) had a dream to one day provide every developer the ability to measure the code quality of his projects. Their motto: “Continuous Inspection must become mainstream as Continuous Integration”.

What is SonarQube?

SonarQube is a Code Quality Assurance tool that collects and analyzes source code, and provides reports for the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continually over time.

Overview

Once the SonarQube platform has been installed, you’re ready to install a scanner and begin creating projects. To do that, you must install and configure the scanner that is most appropriate for your needs. Do you build with:

Why should we use SonarQube?

SonarQube reduces the risk of software development within a very short amount of time. It detects bugs in the code automatically and alerts developers to fix them before rolling it out for production. SonarQube also highlights the complex areas of code that are less covered by unit tests

How SonarQube works aka SonarQube architecture?

  1. One SonarQube Server starting 3 main processes:
    • Web Server for developers, managers to browse quality snapshots and configure the SonarQube instance
    • Search Server based on Elasticsearch to back searches from the UI
    • Compute Engine Server in charge of processing code analysis reports and saving them in the SonarQube Database
  2. One SonarQube Database to store:
    • the configuration of the SonarQube instance (security, plugins settings, etc.)
    • the quality snapshots of projects, views, etc.
  3. Multiple SonarQube Plugins installed on the server, possibly including language, SCM, integration, authentication, and governance plugins
  4. One or more SonarScanners running on your Build / Continuous Integration Servers to analyze projects

Integration

The following schema shows how SonarQube integrates with other ALM tools and where the various components of SonarQube are used.

  1. Developers code in their IDEs and use SonarLint to run local analysis.
  2. Developers push their code into their favourite SCM : git, SVN, TFVC, …
  3. The Continuous Integration Server triggers an automatic build, and the execution of the SonarScanner required to run the SonarQube analysis.
  4. The analysis report is sent to the SonarQube Server for processing.
  5. SonarQube Server processes and stores the analysis report results in the SonarQube Database, and displays the results in the UI.
  6. Developers review, comment, challenge their Issues to manage and reduce their Technical Debt through the SonarQube UI.
  7. Managers receive Reports from the analysis. Ops use APIs to automate configuration and extract data from SonarQube. Ops use JMX to monitor SonarQube Server.

About Machines and Locations

  • The SonarQube Platform cannot have more than one SonarQube Server (although the Server can be installed as a cluster) and one SonarQube Database.
  • For optimal performance, each component (server, database, scanners) should be installed on a separate machine, and the server machine(s) should be dedicated.
  • SonarScanners scale by adding machines.
  • All machines must be time synchronized.
  • The SonarQube Server and the SonarQube Database must be located in the same network
  • SonarScanners don’t need to be on the same network as the SonarQube Server.
  • There is no communication between SonarScanners and the SonarQube Database.

Use case of  SonarQube?

SonarQube is used as part of the build process (Continuous Integration and Continuous Delivery) in all Java services to ensure a high quality of code and remove bugs that can be found during static analysis.

SonarQube is a Code Quality Assurance tool that collects and analyzes source code, and provides reports for the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continually over time.

How to Use SonarQube Tool For Code Quality:
  1. Step 1: Download and Unzip SonarQube. Prerequisites: Java (Oracle JRE11 or OpenJDK 11 minimum) …
  2. Step 2: Run the SonarQube local server. …
  3. Step 3: Start a new SonarQube project. …
  4. Step 4: Setup Project properties and SonarScanner. …
  5. Step 5: View your analysis report on Sonar Dashboard.
How do you write test cases in SonarQube?
Importing . NET reports
  1. Run the SonarScanner. …
  2. Build your project using MSBuild.
  3. Run your test tool, instructing it to produce a report at the same location specified earlier to the MSBuild SonarQube Runner (How to generate reports with different tools)
  4. Run the SonarScanner.

Feature and Advantage of using SonarQube

SonarQube platform significantly increases the lifetime of applications by reducing complexities, duplications and potential bugs in the code, by keeping neat and clean code architecture and increased unit tests. SonarQube increases maintainability of the software. It also has the ability to handle changes.

Benefits of SonarQube
  • Sustainability – Reduces complexity, possible vulnerabilities, and code duplications, optimising the life of applications.
  • Increase productivity – Reduces the scale, cost of maintenance, and risk of the application; as such, it removes the need to spend more time changing the code.

What is SonarQube and its features?

SonarQube is a Code Quality Assurance tool that collects and analyzes source code, and provides reports for the code quality of your project. … Sonarqube also ensures code reliability, Application security, and reduces technical debt by making your code base clean and maintainable.

Best Alternative of SonarQube

Browse options below. Based on reviewer data you can see how SonarQube stacks up to the competition, check reviews from current & previous users in industries like Information Technology and Services, Computer Software, and Financial Services, and find the best product for your business.

Top 10 Alternatives to SonarQube
  • Embold.
  • GitHub.
  • Coverity.
  • Checkmarx.
  • Klocwork.
  • GitLab.
  • Veracode Application Security Platform.
  • Kiuwan Code Security & Insights.

Please Click here more Top 10 Alternatives to SonarQube

Best Resources, Tutorials and Guide for SonarQu

  1. devopsschool.com
  2. udemy.com
  3. devopsuniversity.org

Free Video Tutorials of SonarQube

Interview Questions and Answer for  SonarQube

Is it right definition of Sonarqube?
SonarQube (formerly Sonar) is a quality management platform focusing on continuous analysis of source code quality.

  • YES (Ans)
  • NO

Which is not a severities in this list

  • Blocker
  • Critical
  • Major
  • Biggest (Ans)

Is it right defintion of SonarQube Scanners?
The SonarQube Scanner is recommended as the default launcher to analyze a project with SonarQube.

  • YES (Ans)
  • NO

How to extend the functionality of SonarQube?

  • Modules
  • Plugins (Ans)
  • Extension
  • Ads on

Which statement is correct?

  • Sonar will run CheckStyle, FindBugs and PMD by default for Java projects (Ans)
  • Sonar will run Checkmate by default for Java projects
  • Sonar will run FindIssue by default for Java projects
  • Sonar will run PMDtest by default for Java projects

Which is not a axis of code quality in SonarQube?

  • Architecture and Design
  • Complexity
  • Potential bugs
  • Code Coverage (Ans)

What is the prerequisite for SonarQube Installation?

  • Java (Ans)
  • DOTNET
  • JavaScript
  • Php

Which is not part of Code Technical Review in SoanrQube?

  • Confirm
  • Change Severity
  • Resolve
  • Submited (Ans)

What is not a search criteria for the rules in SonarQube?

  • Language
  • Type
  • Tag
  • Develop (Ans)

Which is the not found in sonar-project.properties?

  • sonar.projectVersion
  • sonar.sources
  • sonar.code (Ans)
  • sonar.language

Which property should be decalred for SonarQube Project base dir?

  • sonar.projectBaseDir (Ans)
  • sonar.working.directory
  • sonar.basedir
  • sonar.projectdir

Which property should be decalred to tell SonarQube which SCM plugin should be used to grab SCM data on the project

  • sonar.scm.provider (Ans)
  • sonar.scm
  • sonar.git
  • sonar.version

Which property should be decalred to tell SonarQube log level?

  • INFO
  • DEBUG
  • TRACE
  • ERROR (Ans)

Which is not supported Log Level in SonarQube?

  • sonar.log.level
  • sonar.verbose (Ans)
  • sonar.log
  • sonar.loglevel

Is it right definition of Code Smell? A maintainability-related issue in the code. Leaving it as-is means that at best maintainers will have a harder time than they should making changes to the code. At worst, they’ll be so confused by the state of the code that they’ll introduce additional errors as they make changes.

  • YES (Ans)
  • NO

Is it right definition of Coding Rule? A good coding practice. Not complying to coding rules leads to quality flaws and creation of issues in SonarQube. Coding rules can check quality on files, unit tests or packages.

  • YES (Ans)
  • NO

Is it right definition of Analyzer? A client application that analyzes the source code to compute snapshots.

  • YES (Ans)
  • NO

Which is not severities in Sonarqube?

  • Options
  • Blocker
  • Major
  • Critical
  • Issues (Ans)

Is it possible to Copy the rules from one profile to another?

  • YES (Ans)
  • NOT

Is it possible to Copy a profile from one SonarQube instance to another?

  • YES (Ans)
  • NOT

 

 

 

 

Rajesh Kumar
Latest posts by Rajesh Kumar (see all)
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x