Why SonarQube>?

Introduction

How well is your code written? Are there any bugs? Did you write unit tests for your code? These are the common questions that I had from the stakeholder of the project and I find it difficult trying to explain to them or rather I couldn’t translate this to a more high-level native language.

Rest assured, SonarQube is here to solve the questions and ready to build the bridge to get your hard work recognized by them. Let me walk you through how you can set it up easily using docker-compose, run your test and publish it to SonarQube.

Prerequisite:

1. Docker
2. Docker-compose
3. .NET Core project
4. Database IDE (e.g. DBeaver, pgAdmin, Datagrip, … more)

I will assume that you will already have docker and docker-compose setup ready in your current working development environment. But before we get started let give it a check. Run the command below to ensure you have Docker, Docker-compose, and .NET Core ready.

# check docker version
docker --version
# check docker-compose version
docker-compose --version
# check .NET Core version
dotnet --version

Result

docker --version
# Docker version 20.10.5, build 55c4c88
docker-compose.exe --version
# docker-compose version 1.28.5, build c4eb3a1f
dotnet --version
# 5.0.201

In the meanwhile, I will be using DBeaver to create the database in the Postgres database. Okay, if you are getting back the version means you are ready to kick start this walkthrough!

Let create a database that is required for SonarQube.

CREATE DATABASE sonar;

We will be using Docker-Compose to provision up the SonarQube container. Below is the YML file, let me explain in more detail below YML document.

version: '3.8'
services:
  sonarqube:
    image: sonarqube:8.8.0-community # (1)
    container_name: tehpeng-sonarqube
    ports:
      - 9123:9000
      - 9124:9092
    networks:
      - rosepalette-network
    environment: 
      - SONARQUBE_JDBC_URL=jdbc:postgresql://tehpeng-postgres:5432/sonar #(2)
      - SONARQUBE_JDBC_USERNAME=root #(3)
      - SONARQUBE_JDBC_PASSWORD=P@ssW0rd123! #(4)
    volumes: #(5)
      - ./data/sonarqube_conf:/opt/sonarqube/conf
      - ./data/sonarqube_data:/opt/sonarqube/data
      - ./data/sonarqube_extensions:/opt/sonarqube/extensions
      - ./data/sonarqube_bundled-plugins:/opt/sonarqube/lib/bundled-plugins
networks:
  tehpeng-network:
    name: tehpeng-network

(1) image: We will not be using the latest tagging as it is difficult to identify which version are you using and your other teammates. This makes it more tedious where your goal is to ensure that everyone in your team is using the same version and you want to define it as strictly as possible.

(2) SONARQUBE_JDBC_URL: This JDBC connection does not specify the credential. tehpeng-postgres, refers to the container that is running the Postgres database. We will not be specifying the IP address, because docker provides a DHCP and nat service where they will issue an IP address to each container, and with the nat service, it will translate the container name to the IP address. Sounds complex? Do drop me a message below if you are interested to know more about Docker. Maybe I will spend my next weekend afternoon writing more about it.

(3) SONARQUBE_JDBC_USERNAME: Your Postgres DB username

(4) SONARQUBE_JDBC_PASSWORD: Your Postgres DB password

(5) Volumes: All the data files that are critical to helping you provision up in another environment

Now let provision up the container with the below command:

docker-compose -f [your directory]/docker-compose.yml up -d

We will be provisioning up the container and at the same time detaching the container with the current terminal. In other words, we will be able to use our current terminal to run other commands.

Common Problem

SonarQube requires elasticsearch which exceeded the container requirements:

• vm.max_map_count is greater or equals to 262144
• fs.file-max is greater or equals to 65536
• the user running SonarQube can open at least 65536 file descriptors
• the user running SonarQube can open at least 2048 threads

Solution

sudo sysctl vm.max_map_count=262144
sudo sysctl fs.file-max=65536

Once everything is up, we can start playing to push our analysis to SonarQube. You can access your SonarQube with http://localhost:9123

After we have deployed our SonarQube let's see how we can analyze and publish ours as .Net Core project code analysis to Sonarqube.

1. Click on the Add project, select Manually

2. Fill up the details of the project

Project Key: The unique identifier of your project inside SonarQube

Display Name: Name of the project that will be displayed on the web interface

3. Generate the token for you to publish your code analysis

Use any keyword you want to generate a token for you, click on Generate after you are done.

Okay, we are done! We have completed creating a project in SonarQube. We are at the last step, running the code analysis and pushing it to here!!

Since we are working on the .Net Core project, we will make the below selection. It requires SonarScanner to be installed in your environment. SonarScanner is a separate client-type application that connects with the SonarQube server that will then perform the project analysis and send the results to the SonarQube server to be processed.

1. Install the SonarScanner tool to analyze .NET assemblies.

dotnet tool install — global dotnet-sonarscanner

2. After it is installed, execute the below commands to start SonarScanner and to send a report result to SonarQube:

dotnet sonarscanner begin /k:"[Project Key]" /d:sonar.host.url="[SonarQube Host URL]" /d:sonar.login="[SonarQube Project Token]" /d:"sonar.cs.opencover.reportsPaths=**/coverage.opencover.xml"
dotnet build
dotnet test /p:CollectCoverage=true /p:CoverletOutputFormat=opencover
dotnet sonarscanner end /d:sonar.login="[SonarQube Project Token]"

After this you should see from the home screen with your project listed and you may then click into it to view your code analysis.

Look at this view! Isn’t this something that looks more promising where your stakeholder who aren’t IT savvy or aren’t interested in looking at you running all your test which probably going to present the data in command line and text. SonarQube can easily present the analysis where it reflects whether there are any bugs and vulnerabilities in your project. In the meanwhile, your teammates can also at the same time review the code with the code smells, ensure their code are covered with unit test with the coverage, and lastly, are there many duplicated codes that you should try to modularize your code. 🤔

This sums up what I have been trying out for the past 1 week at work, let me work on part 2 to show you how we can integrate it with Azure DevOps where you can run this as a stage in your pipeline!