SQ-CI-256x.png

Automated code analysis is a powerful and useful technology and Sonarqube is the leading open source platform in this space. According to Sonarqube's official documentation:

"Sonarqube® software (previously called Sonar) is an open source quality management platform, dedicated to continuously analyze and measure technical quality, from project portfolio to method." 

Bitbucket is amazing for enabling collaboration among developers in an intuitive web interface. Integrating Sonarqube with Bitbucket provides automated feedback on code quality issues in the relevant context of pull requests where the peer code reviews are happening.

Bitbucket Integration

In the pull request view:

    1. Summary of the Sonarqube analysis is visible to the participants:
      Capture 2016-04-05 at 14.45.29.png



      In this example, we can see that the codebase currently has a total of 4 critical issues out of which 3 were introduced by the feature branch under review. Similarly, 1 additional major and minor issues were introduced by the current branch:
      Screen Shot 2016-04-08 at 2.48.09 PM.png



    2. The "Diff" tab in the pull request details can show details on the Sonarqube analysis in relation to the code change:
      Capture 2016-04-05 at 14.49.33.png



    3. If the reviewer wants to find a detailed analysis report, clicking on the Sonarqube marker icons will display details on the issue. In the example above it shows details on the "Critical" issue found for line #66. There are options to convert this into a comment or viewing details about the rule that triggered this result and the suggested fix.
    4. Sonarqube analysis can also be used as a merge check by setting thresholds in the Bitbucket repository settings.

      The example repository below has the condition which will not allow anyone to merge a pull request that has more than 1 critical issue:
      Capture 2016-04-05 at 14.51.37.png



How does this work?

Overall Setup:

Sonarqube analysis is triggered by the Continuous Integration Setup in Bamboo via build plan branches. The results published to Sonarqube analysis is available to Bitbucket Server and accessible to users in the Pull Requests view.

image2016-4-12 18:25:22.png

source: https://mibexsoftware.atlassian.net/wiki/display/SONARBAMBOO (Before version 4.x, Bitbucket Server was known as Stash)


Bamboo Integration

In Bamboo you need to add the Sonarqube Maven task within your build job in order for Sonarqube to trigger an analysis. Link to Sonarqube analysis is visible in the Bamboo results summary page:

Capture 2016-04-04 at 9.31.09.png

When you click on the Sonarqube link it takes you to the Sonarqube home page of the particular branch build 

Capture 2016-04-05 at 14.23.19.png



Sonarqube Analysis

A typical Sonarqube analysis will include  

  1. Home Page :  provides a summary of the entire analysis. Here, Technical Debt, Coverage, Duplication, Structure are the areas highlighted:
    Capture 2016-04-04 at 13.25.03.png



  2. Technical Debt: Sonarqube, based on its policies, does a code analysis to find the issues in your code like conventions, security, performance, error-handling, etc
    1. Depending on the policies, it raises issues for the user to address.
    2. Additionally, it provides the amount of effort required to address those issues
    3. Sonarqube also provides interesting graphical visualization of various statistics related to the analysis results:
      Capture 2016-04-04 at 13.26.04.png



  3. Coverage: Helps you determine percentage of code covered by the unit test. 
    1. A graphical representation of each file's test coverage and indicating number of uncovered lines:
    1. Capture 2016-04-04 at 14.04.16.png



  4. Duplications: Displays duplicate blocks, lines and files:
    Capture 2016-04-04 at 14.27.33.png




  5. Structure: This section shows us the architecture of the project
    1. What percentage of code is in JAVA, XML, or in any other languages?
    2. How complex is the code?
    3. Number of functions defined, classes used, etc
    4. Based on the above analysis, a reviewer can decide, with confidence, whether code should be merged or needs to be cleaned up.

Summary

Sonarqube is a powerful platform for continuous inspection of source code and various aspects pertaining to quality and best practices. Integrating Sonarqube analysis into pull requests in Bitbucket server makes this very useful for developers, thanks to the marketplace addons available for Bitbucket and Bamboo. Please visit Sonarqube's website for more information on the product. 


Be sure to contact Addteq with your all of your DevOps and Continuous Inspection needs!