4. SonarQube
• Sonar is an open source platform for continuous
inspection of code quality.
• Static code Analysis- Java.
• It is developed with a main objective in mind: make
code quality management accessible to everyone
with minimal effort.
• Sonar provides code analyzers, reporting tools,
defects hunting modules and TimeMachine as core
functionality.
5. Sonar- All in one….
NOTE: DRY—Don't Repeat Yourself
Don't Repeat Yourself is a programming principle aimed at reducing repetition of
code.
NOTE: Above image is taken from its official site
6. Design and architecture—minimize dependencies
Duplications—isolates and refines duplications, Don't Repeat Yourself
Unit tests—writes unit tests, especially for complex parts of the
software
Complexity—equalizes disproportionate distributed complexity among
components; eliminates complexity if possible
Potential bugs—eliminate code violations to prevent vulnerabilities
Coding standards—respect coding standards and follow best practices
Documentation and comments—provide documentation especially for
the Public API, the source code
7. How does Sonar work?
Sonar is made of simple and flexible architecture that
consists of three components:
A set of source code analyzers analyzers that are grouped in a maven
plugin and are triggered on demand. The analyzers use configuration
which is stored in the database.
A database to not only store the results of analysis, projects and global
configuration but also to keep historical analysis for Time Machine
A web reporting tool is used to display code quality dashboards on
projects, hunt for defects, and check TimeMachine and to configure
analysis.
8. What Sonar provides?
• Quality profiles
• Dashboards
o A consolidated view that shows all projects
o Project dashboard is also available at modules and
packages level
• Hunting Tools
• TimeMachine
o TimeMachine is used to watch the evolution, replay the
past, especially as it records versions of the project.
10. FindBugs
• FindBugs is a program to find bugs in Java programs.
• FindBugs is platform independent, and is known to run
on GNU/Linux, Windows, and MacOS X platforms.
• It uses static analysis on java code.
– Static analysis is a way to inspect code without executing the
program.
• Works on byte code rather than source code.
11. • This tool inspects Java byte code which is saved in
the form of complied class files, to detect
occurrences of bug patterns.
Bug patterns
• Bug patterns are checklist items for possible
problems in the Java source.
12. • Malicious code vulnerability – code that can be
maliciously altered by other code.
• Dodgy – code that can lead to errors.
• Bad practice – code that violates the recommended
coding practices.
• Correctness – code that might give different results
than the developer intended.
• Internationalization – code that can inhibit the use of
international characters.
The patterns are categorized by the list below:
13. • Performance – code that could be written differently
to improve performance.
• Security – code that can cause possible security
problems.
• Multithreaded correctness – code that could cause
problems in multi-threaded environment.
• Experimental – code that could miss clean up of
steams, database objects, or other objects that
require cleanup operation.
14. FindBugs Results
Warning reported by FindBugs are categorized into:
• Relevant positive – a bug that the developers must fix or
should fix.
• Irrelevant positive –a bug but it is irrelevant to the
program and does not need to be fixed.
• False positive – Not a bug.
15.
16. • My conclusion from this is that using FindBugs
is definitely worthwhile. I plan to roll it out to
all my Java projects and integrate it into the
automated builds so that the FindBugs results
are also available from the continuous
integration server.
Editor's Notes
Sonar is an open source platform for continuous inspection of code quality. It is developed with a main objective in mind: make code quality management accessible to everyone with minimal effort.
Design and architecture—minimize dependencies
Duplications—isolates and refines duplications, Don't Repeat Yourself
Unit tests—writes unit tests, especially for complex parts of the software
Complexity—equalizes disproportionate distributed complexity among components; eliminates complexity if possible
Potential bugs—eliminate code violations to prevent vulnerabilities
Coding standards—respect coding standards and follow best practices
Documentation and comments—provide documentation especially for the Public API, the source code
Quality profiles:
Sonar enables to manage multiple quality profiles in order to adapt the required level to the type of project means new project, critical application, technical lib etc. Managing a profile consists of activate, deactivate, weight coding rules define thresholds on metrics for automatic alerting define project, profile association
Dashboards:
Sonar have 2 dashboards that give the big picture to get hints where there might be issues and to compare projects 1)a consolidated view that shows all projects 2) project dashboard is also available at modules and packages level
Hunting Tools:
To confirm that what seems to be an issue is really an issue, Sonar offers a hunting tool set which enables to go from overview to smallest details:A) It is drill down on every measure displayed to see what is behindB) Classes clouds used to find less covered classes by unit testsC) Hotspots which have on a page the most and the least filesD) And a multi-entry like duplication, coverage, violations, tests success etc. source viewer to confirm the findings made with the hunting tools
TimeMachine:
TimeMachine is used to watch the evolution, replay the past, especially as it records versions of the project
categorized by the list below:
Malicious code vulnerability – code that can be maliciously altered by other code.
Dodgy – code that can lead to errors.
Bad practice – code that violates the recommended coding practices.
Correctness – code that might give different results than the developer intended.
Internationalization – code that can inhibit the use of international characters.
Performance – code that could be written differently to improve performance.
Security – code that can cause possible security problems.
Multithreaded correctness – code that could cause problems in multi-threaded environment.
Experimental – code that could miss clean up of steams, database objects, or other objects that
require cleanup operation.