Page 1
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
1
Spazio IT
SonarQube
And
Java
October 2016
SPAZIO IT –
SonarQube and Java
Maurizio Martignano
Spazio IT – Soluzioni Informatiche s.a.s
Via Manzoni 40
46030 San Giorgio di Mantova, Mantova
http://www.spazioit.com
Page 2
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
2
Agenda
SonarQube
Tools
IDEs
Continuous Integration
Hands on the Platform
Processes
October 2016
Page 3
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
3
SonarQube
Code Quality Platform
October 2016
Page 4
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
4
SonarQube – What is it?
SonarQube is an open source Web Application (http://www.sonarqube.org) which
– Takes in input a set of source code files and a set of analyses results (produced by external tools).
– Stores both sources and results in a database.
– Makes available the gathered information via a dynamic website where the results are shown in the context of the code itself.
October 2016
Page 5
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
5
SonarQube – What is it?
October 2016
Source Code
Files
SonarQube
Database
SonarQube
Engine
Analyses
Results
Page 6
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
6
SonarQube / Plugins / Sensors
October 2016
SonarQube
Plugin-Me.g. Java
Plugin-Ie.g. C/C++
Plugin-1e.g. Ada
Sensor-Je.g. PC-Lint
Sensor-Me.g. GCOV
Sensor-1eg. CppCheck
Post-Processinge.g. CPD, Decorators
Pre-Processinge.g. scanning
and parsing
Page 7
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
7
SonarQube – There’s more
Analyses on the same code base can be performed at different moments in time and SonarQube keeps track of the changes/evolution.
The problems found during analyses (a.k.a. issues) can be managed directly from within the system itself, e.g.
– Identifying false positives
– Assigning issues to developers
– Checking their status (if they have been solved)
– …
October 2016
Page 8
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
8
SonarQube - Screenshots
October 2016
http://sonarsrv.spazioit.com/
Page 9
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
9
SonarQube - Screenshots
October 2016
http://sonarsrv.spazioit.com/
Page 10
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
10
SonarQube - Screenshots
October 2016
http://sonarsrv.spazioit.com/
Page 11
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
11
SonarQube - Screenshots
October 2016
http://sonarsrv.spazioit.com/
Page 12
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
12
SonarQube = Tools (+ Platform)
October 2016
Page 13
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
13
Tools Classification
October 2016
Tools
Dynamic Analysis
Static Analysis
Testing
(U, I, A)
Coverage
Real Time Analysis
Standards / Guidelines
Bugs Finding
Patterns Matching
SD Stuff, e.g.:
Model Checking,
Abstract
Interpretation
Metrics Quality Models (?)
Education / Learning
Page 14
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
14
Tools: Java
October 2016
Tools
Dynamic Analysis
Static Analysis
JUnit
Cobertura, Clover
ThreadSafe
Checkstyle
SonarQube JavaPlugin
FindBugs, PMD
Patterns Matching
Opal, Soot,
JPF,
?
SonarQube JavaPluginSonarQube
SqualePlugin
Education / Learning
Page 15
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
15
SonarQube Integration with IDEs
October 2016
Page 16
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
16
SonarQube and Visual Studio
(C/C++)
October 2016
Page 17
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
17
SonarQube and Eclipse (Java)
October 2016
Page 18
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
18
SonarQube and Eclipse (C/C++)
October 2016
Page 19
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
19
SonarQube and Oracle
JDeveloper (Java)
October 2016
Page 20
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
20
SonarQube and Continuous
Integration
October 2016
Page 21
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
21
SonarQube and Jenkins
October 2016
Page 22
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
22
SonarQube and Jenkins
October 2016
Page 23
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
23
SonarQube and Jenkins
Running SonarQubeAnalyses:
– Sonar-Runner
– Maven
– Ant
Where?
– SonarQube analyses can be distributed.
– Jenkins and all the others CI systems allow for distributed execution of builds and build steps.
– The analyses should take place where the code is.
October 2016
Page 24
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
24
Hands On the Platform…
October 2016
Page 25
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
25
Processes
October 2016
Page 26
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
26
Who does what?
All nowadays Integrated Development Environments (IDEs) like GNAT GPS 2016, Visual Studio 2013, Eclipse Luna, offer some form of Code Analysis.
October 2016
Page 27
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
27
Who does what?
IDE’s analysis tools are to be used by software developers during their everyday work.
SonarQube analyses are more for the «quality people» and they are not supposed to be executed everyday, but rather at specific /well defined moments in the software development life cycle.
SonarQube analyses can also be used by software developers to:
– Execute project defined analyses
– Complement the IDE analysis capabilities
– Increase the “awareness” on the programing language (Educational)
October 2016
Page 28
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
28
When?
SonarQube analyses should be performed after any «significant» delivery in a software development project, e.g. using ECSS 40 terminology, at:– CDR
– QR
– AR
In maintenance projects SonarQube analyses should be performed after any «significant» new delivery, e.g. supposing a versioning like:major.minor[.build[.revision]]After every «minor» delivery.
October 2016
Page 29
© 2016 Spazio IT - Soluzioni Informatiche s.a.s.
29
Thank you for your time!
October 2016
Software
Spazio IT