Sonarqube is an automated static code analysis tool configured with Jenkins, it will report bugs, vulnerabilities, and tech debt of the project. Sonarqube with Jenkins can be extensively used to raise the bugs that would be missed by some manual efforts. Secondly, Linting and code coverage are also handled by Sonarqube, so we don’t have to have different tools for that. Thirdly, Sonarqube is open-source software with good support and in this doc, we will be going to cover the setup, sonar scanner for one sonarqube-flask project, integration with Jenkins, and setting up the quality gate.
Consider a situation where you are the engineer who is reviewing a pull request with more than 1000 lines of code change. However, you would have a checklist where you will check the
Manual PR Checklist
- Is the PR atomic, for instance?
- In addition, Does the PR follow the single concern principle?
- Are the commit messages well-written?
- Will the code work well with the existing code and not increase duplication?
- Is the code well organised in terms of the placement of components?
- Is the PR contains the test cases for the modified code?
- New code keeping up with the idioms and code patterns of the language?
- Does the code make use of the language features and standard libraries?
- Does it comply with PEP-8?
- Are all language and project conventions followed?
- Are identifiers given meaningful and style guide-compliant names?
- Is the code free of implementation bugs that could be exploited?
- Have all the new dependencies been audited for vulnerabilities?
There’s a good probability that some points will be missed out when you are doing a manual check from the above checklist.
So here comes the Sonarqube, as it will take care of almost everything from the checklist, you just need to chill and watch Netflix.
So let’s dive into the agenda of the blog, what all things I will be covering in this blog.
We are going to cover the following points in the blog
- Overview of Sonarqube and where to use it.
- Setup/Install Sonarqube.
- Configure python project in Sonarqube.
- Configure Jenkins with Sonarqube for automated testing.
Overview of Sonarqube
Sonarqube is a static code analysis tool, that will generate issues, bugs, vulnerabilities and tech debt of the project. But manually generating this all the time is a bit time-consuming. So Sonarqube works great with Jenkins pipelines.
Installation of Sonarqube with Jenkins
Install following libraries and tools before proceeding with the installation process
Sonarqube with Docker
Firstly, Create a directory structure just like below by creating a separate folder named
- data/ ## All the data of sonarqube is in this folder
- docker-compose.yml ## Sonarqube entrypoint
- extensions/ ## All the extensions are here
- logs/ ## Logs are stored here
- pg_data/ ## Sonarqube needs a db, we are using postgres for it and the data is here
- pg_db/ ## Postgres databases
To do so, use the below commands.
mkdir data extensions logs pg_data pg_db
Secondly, Create a docker-compose file that will run the Sonarqube and also spin a container for PostgreSQL to store data of Sonarqube.
Thirdly, Run the docker-compose file using docker swarm and use the below command for that.
docker stack deploy -c docker-compose.yml sonar
Most importantly, just crosscheck that the docker services are running fine or not by the below command
docker service ls
Open the browser and checkout localhost:9000 URL to open Sonarqube.
Now, log in the Sonarqube using the below credentials
- Firstly, Click on Administrator’s My Account
- Secondly, Click on the security
- Thirdly, Change the password to something secure one
Disable anonymous access
However, by default Sonarqube allows anonymous access to the analysis. We can also disable it by going to the administrator section. Then open the Security tab and enable Force user authentication
Administrator>Security>Force User Authentication
Enable Email authentication and Setup Email Client
To receive notifications whenever some build fails, or some issue is assigned to you or some other issues in a specific project need input from you. So we have to configure notification as per profile basis.
- Open My Account
- Open the Notifications tab and tick on the following rules
Setup Email Client
Open Administrator tab, then Configurations and then general
Enter below values
- email prefix: [SONARQUBE]
- from address: <your email address>
- from name: SonarQube
- SMTP host: smtp.gmail.com
- SMPT password: <your password>
- SMTP port: 587
- username: <your username>
- server base URL: https://localhost:9000(your sonarqube domain)
Configuration of Project
- Add a project manually
- Give a name to the project
- Generate a new token for analysis purpose, so that you will not use user credentials for analysing
- Store the token somewhere safe as it will not be visible once the project is set up.
- Choose the project main language, as in this case I have chosen “Other” cause the sonarqube-flask project’s main language is python. Then the OS will give you the sonar scanner command that we have to run to populate static code analysis.
- Finally, the project is set up, we can see the project listing on the projects tab without any analysis
Sonar Scanner — Project Setup
In this part, we will be going to set up a sonar scanner on the hello-flask project. This scanner will scan the project and generate the static code analysis of it and push that to the sonarqube server.
For sonar-scanner, we will be using docker.
- Create a
sonar-project.propertiesfile on the root directory. This file will have all the flags or properties of the sonar scanner of that project
2. Install the below requirements file libraries
3. Write test cases for the project
from flask_webtest import TestApp
from app import app as current_app
_app = None
if not _app:
_app = current_app
class TestFlask(object): @pytest.fixture(autouse=True)
def setup(self, testapp):
self.testapp = testapp def test_comic(self):
res = self.comic()
assert res.status_code == 200 def comic(self):
For complete code, check out the repository from here
4. Run the test case to generate the coverage report and result report using the below command
py.test --cov-report xml:coverage.xml --cov=. --junitxml=result.xml test.py
5. This will generate coverage.xml file and result.xml file in the root directory of the repository
Run Sonar Scanner on Project
For the complete blog and implementation, please check out Step by Step Configuration of Sonarqube with Jenkins for Python blog on my blogging website — Progress Story
If you haven’t tried Sonarqube yet and if you are working in a big team. Then it's the right time to introduce Sonarqube to your team as it will take care of most of the manual stuff like linting, static analysis, test case coverage and a lot more.
I hope, it has helped you or it will help you. If you want to discuss anything or anything related to tech, you can contact me on the Contact Page of Progress Story. If you are interested in becoming a part of the Progress story please reach out to me or check out the Create Blog page. You can also reach out to me on Linkedin
See you next time! Peace Out ✌️