Tuesday, May 3, 2016

Improving Code Quality With SonarQube and Jenkins CI

I recently had the opportunity to install/configure SonarQube with Puppet and Jenkins.  Not knowing what I was getting into I found it a little daunting at first but I love the insight SonarQube provides into the Puppet code.

SonarQube is platform for measuring and reporting code quality.  SonarQube scans the codebase for quality standards violations, aka the Developer's Seven Deadly Sins, and produces a list of issues and reports.  Although SonarQube can find syntactical errors it is more like a linter and does not replace unit testing.  SonarQube is complementary to the array of utilities software developers have at their disposal.

If you're using Puppet you can easily stand up a SonarQube server with either this or that puppet module.  I chose to fork Maestrodev's puppet module because it was tied to their wget module and caused a conflict for me.

Getting started with SonarQube is easy when integrated with Jenkins.  First install the SonarQube plugin for Jenkins.  Second, navigate to the Jenkins "Configure System" section for SonarQube.  Enter your SonarQube server information and it will be made available to jobs.

I prefer to create a service account for Jenkins to log into SonarQube and have all Jenkins jobs use it.  You could also assign developers, or a group of developers, their own SonarQube credentials.



In your job's configuration, check the box and Jenkins will automatically inject the required environment variables for the SonarQube server.


Maven projects can add sonar options as properties to the pom.xml as in this example.  Add the sonar goal and environment variables for the SonarQube server for the Maven target.


​Freestyle projects use the Execute Shell block to run sonar-scanner and a sonar-project.properties file.  The properties file specifies where the source is located, the language type, project name, and project key.  This example shows a typical properties file.  The options passed on the command line are required for connecting to the SonarQube server.

In the following example I test for a sonar-project.properties file in my project.  If that file exists then I run sonar-scanner with environment variables from the Jenkins global settings for SonarQube.
After your Jenkins job runs links are available to the SonarQube reports for each run.  You can click on the "SonarQube" link in the main menu or on the blue wavy lines for the job.  You will be taken the project report on the SonarQube server.

SonarQube by default comes with the Java plugin to scan Java code.  If you want to scan Puppet code you'll need to install the Puppet plugin via SonarQube's Update Center.  When you scan your codebase you'll get a nifty dashboard with the ability to drill down and get specific errors.

The level of effort to get the server running and integrated with Jenkins was minimal.  Not knowing anything about the platform I was able to get the server up and running in a day, and that included working on my Puppet module.  It took another 4hrs of messing around until I figured out how to get it working from Jenkins.  It's so easy to get started I highly recommend setting this up.