SonarQube is an open source platform for continuous inspection of code quality. It uses static code analysis to generate software metrics and detect issues like bugs, vulnerabilities, and code smells. These issues are tracked over time to help developers fix problems early when they are cheap to address. SonarQube integrates with development tools and pipelines to perform analysis on commits and reject code that does not meet quality standards. This provides continuous feedback on code quality and helps enforce good development practices across teams.
4. Continuous Inspection /
• A new approach to code quality management
• Code quality as a part of Software Development Life Cycle (SDLC)
• A clear view of software quality for all stakeholders
• Continuous feedback about software quality
• Obtaining the ability of better software development practices
5. Continuous Inspection /
... but how?
• On-the-fly: Fix issues before they exist.
• Integration: Analyse on the CI / DevOps pipeline.
• Quality Gates: Reject if not ok.
• Track issues: Track the issues on new code (who committed the issue?)
6. The value of continuous inspection is to find the issues
while it is easy and cheap to fix.
9. Software Metrics
... how to generate?
Software metrics are generated by matching the measurable properties of software with
numbers.
... purpose?
to measure software quality
to find problematic units
to predict the future of software product
10. Software Quality Metrics
Subcomponents of software quality
What & how to measure?
Metric x Quality relations
Software Quality Model
11. Software Quality
Model
- McCall, J. A. (1977)
- Boehm (1978)
- Consortium for IT Software
Quality (CISQ)
- International Standards (ISO,
IEEE...)
12. Software Quality Metrics
Size metrics / lines of code, classes, functions, files...
Test metrics / unit tests, line coverage...
Complexity / cyclomatic complexity, complexity per function...
Duplications / duplicated blocks, duplicated lines (%)...
Issues / blocker, critical, major, minor, info / Code smells, bugs, vulnerabilities
Technical Debt /
22. SonarQube: Architecture
- SonarQube Scanners don't need to be on the same network as the SonarQube Server.
- There is no communication between SonarQube Scanners and the SonarQube Database.
- SonarQube Scanners scale by adding machines.
36. Quality Gates
Don’t get commits in from the
gate which brings new
vulnerabilities, high technical
debt, low code coverage…
https://next.sonarqube.com/sonarqube/quality_gates/show/7
37. Webhook - integrations
Trigger other systems via Webhooks
• Trigger an alerts
• Update a field
• Post a message to a chat room
• Send an e-mail
• Create a ticket
• ....