SonarQube - how is it used - sonarqube

I have a simple problem, with a simple answer probably, but I can't find what is it. We want to deploy SonarQube along with Checkstyle and some other tools, but we can't find out is it meant for a centralized, server deployment, or on each developer machine? All tutorials show installations on separate machines and being used in the localhost, while there is a public instance example, and the requirements and specs certainly look service-like.
On the other hand, I'm not getting how do the developers submit their code for checks if it is on a server.
So, in short, how is it deployed? Any checklist or something similar would be of great help.

The SonarQube "runtime" architecture has several elements:
SonarQube server. It contains a database (e.g., MySql) and an
embedded web server (Tomcat). The SonarQube server stores the
results of analyses (the metrics), but does not execute the code
analyses. This server provides a web UI that shows the dashboard of
the projects, various metrics and drill down into code, admin options. It uses a pluggable architecture--you can add/remove funcitionality via plug-ins.
Program that runs code analysis on the developer machine. There are options: (a) if they are using Eclipse or IntelliJ, they can use the respective SonarLint plug-in, which provides configuration properties, menu options to run analysis, a view to show violations, etc.; (b) developers can also run code analysis via maven (mvn sonar:sonar) or gradle (gradlew sonarqube); (c) developers can execute the various code analyses through a program called SonarQube Runner.
All these options of programs that run the analysis on the developer machine need to be configured to communicate with a SonarQube server. For example, when you run code analysis in IntelliJ using SonarLint, the metrics will be uploaded to the server. This server is typically shared by all developers, but it can also be localhost.
Program that runs code analysis on the CI/CD server. The job/pipeline that builds a software project can be configured to run SonarQube code analysis. It can be done via maven or gradle just like on the developer's machine, or via a plug-in. There are SonarQube CI plug-ins for Jenkins, Hudson, Bamboo, and others. Depending on the size of your project, you may want to configure the code analysis to run once a day only, and not upon each code commit or changes to dependencies. The SonarQube code analysis executed on the CI server will likewise send the generated metrics to the SonarQube server.
The SonarQube architecture documentation is very poor (not to say absent), so it's hard to get the big picture. I hope this helps.

SonarQube (formerly just "Sonar") is a server-based system. Of course you can install it on your local machine (the hardware requirements are minimal). But it is a central server with a database.
Analyses are performed by some Sonar "client" software, which could be the sonar runner, the sonar ant task, the sonar Eclipse plugin etc. The analysis results can be automatically uploaded to the server, where they can be accessed via the sonar Web application.
In an environment with many developers, you should run a build server (e.g. Hudson or Jenkins), which performs automatic sonar analyses as part of the nightly build. Other schedules are possible, but the developers should know when they can expect updates of the server-side analysis results. The results of the automated analysis can be displayed in the individual developer's Eclipse editor by way of the sonar Eclipse plugin.
The architectural documentation on Sonar is quite sparse. I've looked for a picture to visualize what I just described, but could not find one ...

Related

Tracking the origin of a SonarQube Scan

We have a SonarQube server that is actively used by several other teams in the company, but which my team hasn't been using for several years.
When I tried to encourage my team to start monitoring code quality with Sonar again, I discovered that the Project in Sonar is being updated on a regular basis.
However, no-one in the team has any idea where these updates are coming from!
Sonar is not included in our main project POM file (we use Maven), and as far as I can tell, it's not being triggered by Jenkins (the Sonar plugin for Jenkins does not appear to be installed or configured).
That leaves a scheduled execution of a SonarScanner as the most likely source for these updates. However, in a company with several hundred servers and thousands of users, I have no idea where to start looking for this scheduled job!
Is there anything in the Sonar logs that would point to the source of the update, or anything I can configure so that this kind of information is logged?
Your best bet is to monitor to access log of the SonarQube server.
It's in logs/access.log of a SonarQube installation.
It includes the IP address and timestamp of requests,
as well as the project key when a scanner pushes analysis results to the server.
It should be easy to identify the origin of any scan.

How to run preview analysis locally, but disallow uploading to server?

SonarQube 5.6.1
I need to allow users to run SonarQube analysis locally in preview mode, but I do not want them to be able to push anything to the server.
I see that there is this assignable ability:
EXECUTE ANALYSIS Ability to get all settings required to perform an
analysis (including the secured settings like passwords) and to push
analysis results to the SonarQube server.
I need users to be able to do the first half of this:
...get all settings required to perform an analysis...
But not this part:
...push analysis results to the SonarQube server.
With SonarQube 5.6.1, making it possible for users to run preview analyses but not push results to the server require the 2 following things:
Those users don't have the global "Execute Analysis" permission
Those users have the "Browse" permission on their projects
That's all they need.
Note that if your developers are using IntelliJ, Eclipse or Visual Studio, you should encourage them to use SonarLint (connected to your SonarQube server) instead of running "preview" analyses manually. This will be far more efficient. And even if they don't have such IDE, they'd better use SonarLint for CLI.

Do we need SonarQube Scanner on every machine?

I am planning to use SonarQube Scanner (http://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner) for doing sonar analysis for my projects.
Please let me know, if I need to install SonarQube-Scanner on every host or can I install on one host and all other can use the scanner from remote location.
Not sure what you meant by every host but all you need to make sure is project files should be accessible from the machine on which you have sonar scanner. Best practice is to have both the scanner and project files on the same machine.
Sonar scanner can be isolated from the web server. once the analysis is done by the scanner it sends the analysis report to the web server queue from where it is picked by compute engine for processing and pushed to database. However this process was different in older versions(below 5.2).
You don't need to have a scanner on every host.
I'd recommend integrating SonarQube scans into a continuous integration process where your CI server pulls the build and then executes a SonarQube scan on the pulled code base.
This allows developers to submit their changes, start a build on the CI server, and have the code scanned all with only having version control on their development machines.

Eclipse sonar plugin vs findbugs+pmd+checkstyle eclipe plugins

We are trying to install a CI Platform with (Jenkins,sonar,eclipse ...).
So that every developer can make analysis on his code before commit, I'm wondering between two alternatives :
running local analysis with the sonar plugin.
install the different plugins that sonar use (findbug,pmd,checkstyle ...) and configure them to meet the sonar configuration.
I'm not sure which alternative to use? I used to work with findbugs,pmd, checkstyle in eclipse and they look great.
Can you tell me which is the best alternative?
Thanks in advance.
Regards.
With Sonar plugin you can manage the violations like:
Create a review
Mark a violations as false positive or fixed
View the hot classes and hot violations
View yours reviews
If you use separate plugins you have to go sonar web to do that.
The great advance of sonar is the reviews.
Other question is how many projects you have and will have. I currently work with more than 70 projects and many profiles. Is more simple to me run analysis with one plugin, because I need just add the server and find the project. With other plugin you need add the link for each project in each plugin configuration.
Why not install the Sonar Eclipse plugin?
This was designed to solve the following problems:
Sonar does not support parallel analysis of the same project. This issue rules out the option of each developer running Sonar locally. (See SONAR-2761, SONAR-3306)
You don't really want developers uploading metrics and source code into the Sonar database. They could be working on an uncommitted workspace and would therefore cause both inaccuracies and confusion if Sonar is being used for code review.
Sonar is really designed to be run from a continuous integration server (like Jenkins), building code that has been submitted onto a shared codestream (or branch)
The big advantages of using the Eclipse plugin are:
True local analysis, no updates of the Sonar database
Configuration of the other tools is retrieved from the Sonar server and jars automatically downloaded.
Centralized management of Sonar quality profiles

User specific sonar reports for same project

I have configured one project in sonar and integrated sonar with maven for build time analysis of the project.
After analysis, report is generated and uploaded to Sonar for browsing. But once another user compiles the same project their report overwrites mine.
Basically I want that one user's report on one project is not overwritten by report from other user. A user must be able to see their current violations independently. Is it possible in Sonar?
Sonar stores it's analysis on a daily basis, which explains why it's kind of pointless to run analysis several times in a day. Each analysis run will overwrite that day's existing results, which in turn spoils ongoing statistical analysis.
I would suggest running Sonar, from a dedicated build server like Jenkins (which has a Sonar plug-in). This daily analysis will populate the Sonar database and keep the project dashboard current. This architecture also enables you to keep the database credentials confidential.
Obviously developers would like to see the results of their bug fixing. For that I'd recommend running the Sonar Eclipse plug-in. The latest version will run the same Sonar analysis locally. Recent versions of Sonar also enable you to assign violations to developers for resolution.
This is not possible, last performed analysis will always be the one you browse in the interface. However, I guess what you need is the Issue Report Plugin which will enable analysis to store results locally, with the dry-run option.
This way your developers will be able to run an analysis on their code and see the violation delta without pushing the results.
You can do it by explicitly setting the below properties in pom.xml
<properties>
<sonar.projectKey>Test</sonar.projectKey>
<sonar.projectName>Test</sonar.projectName>
</properties>
Every user should set different projectKey and projectName, if you want that one user's report on one project is not overwritten by report from other user.

Resources