In this article, we will perform static analysis [^ 2] of the code within the development (programming) phase [^ 1] performed by multiple people in the group, and help to eliminate the problems contained in the newly developed part at an early stage. I will show you how.
[^ 1]: [Waterfall model] using Java (https://ja.wikipedia.org/wiki/%E3%82%A6%E3%82%A9%E3%83%BC%E3%82 % BF% E3% 83% BC% E3% 83% 95% E3% 82% A9% E3% 83% BC% E3% 83% AB% E3% 83% BB% E3% 83% A2% E3% 83% 87 % E3% 83% AB) I wrote it assuming development, but I think that it can be applied not only to the waterfall model, and SonarQube itself can support languages other than Java.
[^ 2]: A type of computer software analysis method that analyzes without executing an executable file. ([Wikipedia](https://en.wikipedia.org/wiki/%E9%9D%99%E7%9A%84%E3%82%B3%E3%83%BC%E3%83%89%E8% From A7% A3% E6% 9E% 90))
――It is assumed that the development flow is basically "Create a development branch from the master branch and send a pull request from that branch to the develop branch when development is completed". --Assuming a situation where the number of reviewers is not large compared to reviewee.
--Reduce the burden on reviewers --Have you ever pointed out the same coding rule violation many times (how to use logs, omission of annotations, etc.)? -When you search with SearchBucket, do you find many similar points with the same keyword? --Preventing the release of unintended defects --Memory leak, NullPointerException, etc. --Targeting newly developed parts ――I would like to put the existing problem on hold.
SonarQube Aiming to solve the above problem, this time we will try to introduce and utilize SonarQube. SonarQube is, in a nutshell, an "OSS for continuously measuring and managing code quality."
--If there is a part that violates the specified coding rule, it will be identified and presented (along with the solution policy). ――It manages such violations as "technical debt" and records the transition in chronological order.
See the Official Documentation (https://docs.sonarqube.org/display/SONAR/Documentation) for more information.
SonarQube® software (previously called Sonar) is an open source quality management platform, dedicated to continuously analyze and measure technical quality, from project portfolio to method.
First, build a server and prepare a place to store code quality measurement results. Detailed procedure is Official document and [This document](http://blog.applibot.co.jp/blog/ 2017/09/14 / static-code-analysis-with-sonarqube /) is detailed.
Once you've built your server, it's time to statically analyze your code.
After setting according to Analyzing with SonarQube Scanner for Maven, in the directory with pom.xml
mvn sonar:sonar
Will perform a static analysis.
The result is
sonar.host.url
You can see it as such a screen under the URL set in. (The image doesn't seem to be for Java code, but for reference.)
Source: https://stackoverflow.com/questions/36940993/vs-unit-test-results-file-trx-is-not-displayed-into-sonarqube
The problems found and their solutions are presented, for example:
Source: https://docs.sonarqube.org/display/SONARQUBE52/Technical+Debt
If the analysis result is registered on SonarQube Server, it can be confirmed on the IDE. To do this, depending on your IDE, SonarLint or [radar-netbeans](http://plugins.netbeans.org/plugin/51532/radar- netbeans) is installed. For example, if you install radar-netbeans on NetBeans, the problem ("Issues") is pointed out like this. You can make corrections smoothly by going back and forth between the relevant part of the code and the detailed description of the problem.
Source: http://plugins.netbeans.org/plugin/51532/radar-netbeans
Here are the advantages and disadvantages of actually introducing SonarQube.
SonarQube Scanner needs to be installed and configured by each engineer.
In order to reduce the disadvantage, let's think about creating a job that can be easily executed from Jenkins that is used in common by the group.
For each development branch, create a script (analyze.sh) for static analysis of SonarQube as follows.
--Analyze for the master branch (if you haven't done so already) --Analyze the development branch --sonar.projectKey is unique for each development branch --Sonar.projectVersion changes between master branch analysis and development branch analysis
analyze.Overview of sh
#!/bin/sh -xe
(Omission)
SONARQUBE_PROJECT_KEY_FROM_API=`curl -s -X GET "${SONARQUBE_HOST_URL}/api/components/show?key=${SONARQUBE_PROJECT_KEY}" | python [Path to file]/json_value.py component key`
# clone repository
git clone ssh://git@[Bitbucket SSH URL with port]/${BITBUCKET_PROJECT_NAME}/${REPOSITORY_NAME}.git
cd ${REPOSITORY_NAME}; pwd
# if key not exists in SonarQube server
if [ -z ${SONARQUBE_PROJECT_KEY_FROM_API} ]; then
# (a) mvn clean package (baseline branch)
git checkout ${GIT_BRANCH_BASELINE}
${MAVEN_COMMAND} clean package -Dmaven.test.skip=true
# (b) run sonar:sonar to ${SONARQUBE_PROJECT_NAME} (baseline branch)
${MAVEN_COMMAND} sonar:sonar -Dsonar.projectKey=${SONARQUBE_PROJECT_KEY} -Dsonar.projectName=${SONARQUBE_PROJECT_NAME} -Dsonar.projectVersion=${SONAR_PROJECT_VERSION_BASELINE} -Dsonar.sources=src/main
fi
# (c) mvn clean package (developing branch)
git checkout ${GIT_BRANCH}
${MAVEN_COMMAND} clean package -Dmaven.test.skip=true
# (d) run sonar:sonar to ${SONARQUBE_PROJECT_NAME} (developing branch)
${MAVEN_COMMAND} sonar:sonar -Dsonar.projectKey=${SONARQUBE_PROJECT_KEY} -Dsonar.projectName=${SONARQUBE_PROJECT_NAME} -Dsonar.projectVersion=${SONAR_PROJECT_VERSION} -Dsonar.sources=src/main
json_value.py
# encoding: utf-8
import json
import sys
# Get JSON from stdin
dic = json.loads(raw_input())
# get keys from arguents
args = sys.argv
# args[0] is this program name
args.pop(0)
for key in args:
if isinstance(dic , list):
# if current value is list, change key to int
key=int(key)
try:
# set dic[key] as next value (or result)
dic=dic[key]
except:
# If failed, print empty string and exit. (might be on KeyError and IndexError)
print ''
sys.exit()
# print result
print dic
Create a Freestyle job and check "This project is parameterized" so that you can specify the required parameters for your script.
Running the job creates a dashboard on the web console that corresponds to your development branch (if you don't already have one). Problems detected in the difference between the master branch and the development branch (newly developed part) will appear in "New Issues". You can see the details of the problem by clicking on the area circled in red.
With the aim of "reducing the burden on the reviewer" and "preventing the release of unintended defects", Jenkins / SonarQube can be used to provide a useful method to quickly eliminate problems contained in newly developed parts. I introduced it.
On the other hand, we also found such issues.
If you want to ignore the problem pointed out, you can ignore it.
I think this is largely due to the circumstances of the group rather than Jenkins or SonarQube. After talking to the members who actually used the Jenkins job, I think the following points are likely to be a bottleneck.
--The importance of static analysis is not well understood and shared ――There were no major problems in the manual reviews so far (or even if problems occur, we have been able to deal with them). --SonarQube's default rule-based suggestions don't always fit the group's current situation. ―― “The burden of reviewee (not reviewer)” is increasing. --I can't remember this Jenkins job during development (too much else to do). ――Even if you remember, it is difficult to actively fix it due to problems such as schedule, skills, and consistency with existing code.
In the next related article,
--SonarQube rule selection
I would like to share either of them if there is a prospect of improvement.
-Can I use Jenkins to automatically test GitHub Pull Requests? ――I don't use SonarQube, but I have the same purpose of "reducing the burden on the reviewer" and "reducing the possibility of mistakes getting into the release". -How to statically analyze test code with SonarQube? --I examined how to set the analysis target of SonarQube Scanner.
Recommended Posts