Sascha's Blog

How to analyse your code with sonarcube

Codequaility Oct 7, 2021

Sonarcube is a measurement tool for running static codeanalysis

Installation

I prefer to run the sonarqube on docker. Because it's a clean install and portable runtime environment.

To have a persistent runtime we need a postgres sql server. To store the data, to let sonarqube and the postgres (opens new window)comunicate with each other, we need a virtual network inside the container.

To create a network named mynet we use the following script:

docker network create mynet

Now it's time to create the postgres database instance named postgres for this I use the following docker command:

docker run --name sonar-postgres -e POSTGRES_USER=sonar -e POSTGRES_PASSWORD=sonar -d -p 5432:5432 --net mynet postgres

This will install a postgres sql and connect it to the mynet

Now we must create some directories to support persistence of the sonarqube results First one Directory to store the analysis results

mkdir e:\sonarqube\data

This one for installed extensions

mkdir e:\sonarqube\extensions

so now it's time for the creation of a sonarqube instance called sonarqube:

docker run -d --name sonarqube --net mynet -p 9000:9000 -p 9092:9092 -e SONARQUBE_JDBC_USERNAME=sonar -e SONARQUBE_JDBC_PASSWORD=sonar -e SONARQUBE_JDBC_URL=jdbc:postgresql://sonar-postgres:5432/sonar  -v E:\sonarqube\data:/opt/sq/data -v E:\sonarqube\extensions:/opt/sonarqube/extensions sonarqube:8.9.2-community

This will now connect the instance to mynet and so it will possible to communicate to the prostgres database (installed before).

After the creation you can access the instance by http://localhost:9000

s you will be able to login with the username admin and password admin

USing with WSL2 (Windows Subsystem for Linux)

To run it with the Wsl, you will increase the memory limit. To do this, you must enter the linux instance with:

wsl.exe -d docker-desktop

Now you can execute the following command, to increase the limitation:

sysctl -w vm.max_map_count=262144

Create a new Anylsis project in Songarqube

After you logged in into you sonarqube instance (opens new window)You will be able to create a new project.

This will be uses later to send the compiler analysis to.

So first select manually from the dashboard.

Now you will be able to enter a projectname. For example MyProject

After this, the project was created into sonaqube. Now the important part, you must create an api key for this project. This will be used to push code analysis data to the sonarqube from your compiler output. So let's select locally

you can now set the name for this token.

After you hit the Generate-Button you will get the generated token. Let's assume it is the key MYSECRETKEY

So next step is to setup the requirements into your project

Execute a code analysis with .net core

Beore you can execute an analysis in .net core you must install dotnet-sonarscanner(opens new window)

dotnet tool install --global dotnet-sonarscanner

After that you must extend your porjectfile to include a ProjectGuid like this:

<Project Sdk="Microsoft.NET.Sdk.Web">
    <PropertyGroup>
        <TargetFramework>netcoreapp3.1</TargetFramework>
        ....
        <!-- Important for sonarcube -->
        <ProjectGuid>{AB1EBBAF-6DF7-41E9-815D-9AD4CF90C844}</ProjectGuid>
    </PropertyGroup>
.....
</Project>

This is required for sonarqube. It will use this identify to create a unique key, to assign analysis updates. Otherwise, when no Id is set, it will ignore the project to analyse.

Now let's do our first analysis. First of all we must start the gathering of measures. For this we use the sonarscanner toolkit (installed before). In this you must give information to which project the data will be assigned and which login will be used to authenticate (here you will take your generated key). Four our example we will enter the following command:

dotnet sonarscanner begin /k:"MyProject" /d:sonar.login="MYSECRETKEY"

you will git similiar output like this:

Next lets (re-)build the project with:

dotnet build

NOw the compiler generates the output, that can be send to the sonarqube. You can do this with this command:

dotnet sonarscanner end /d:sonar.login=admin /d:sonar.login="MYSECRETKEY"

After this command, you will get a large output like this (shortened)

After this you can open up your sonarqube (opens new window)and see the result

Conculsion

Sonarqube is a nice tool to make a static code analysis of your code. This will maybe several problems about your security, but also it will identify several complex code or just duplicated that increase technical debt and so on.

Hope that this will help you in such a way to make your code great again šŸ˜‰

Update

I was asked to create a docker compose file. So I uploaded it at a gist file on GitHub here

Tags

Sascha Bajonczak

Recommended for you