You are currently viewing Maven and Sonar Integration: A 5-Step Guide for Effective QA

Maven and Sonar Integration: A 5-Step Guide for Effective QA

Overview

It has been statistically proven that, as software developers, we spend 80% of our time reading code and only 20% of our time writing it. So it’s important that during that 20% of our time, we write code that will make our lives easier during the 80% of the time we have to maintain it. So you’ll be hearing more and more about clean code.

The term clean code can have several definitions depending on the author, but the one that comes up most often is the following: Clean Code is code that’s easy to read, maintain, understand, and change through structure and consistency yet remains robust and secure to withstand performance demands.

So you guessed it, in this article, we will be talking about Clean Code. We’ll be looking at one of the most popular tools on the market on the subject, SonarQube. We’ll look at integrating SonarQube into a Maven project to generate code quality metrics. Ready to explore further? Let’s get started!

Version Check

This tutorial has been tested with the following tools :

  • Java 8
  • Maven 3.8.6
  • SonarQube Community 10.1.0.73491

Step 1: Create a Maven Project

We’re not going to create a whole new project. Instead, we’ll use the project from a previous article on Jacoco. You can find the full code for that article on GitHub.

Step 2: Set up SonarQube server locally

This tutorial assumes that you already have a local installation of SonarQube. If this is not the case, please follow this guide.

Step 3: Configure your project in SonarQube

Once you have a SonarQube instance up and running, connect to it to configure your project.
The SonarQube dashboard will look like this:
Capture d’écran 2023-12-22 à 13.55.51.png

Click on “Create a project” in the top right-hand corner, then select “Manually” in the following window as follows:
Capture d’écran 2023-12-22 à 14.03.39(1).jpg

Fill in the next screen as follows and click “next”:
Capture d’écran 2023-12-22 à 14.23.14.jpg.

In the next screen, select “Use the global setting” and then “Create project” :
Capture d’écran 2023-12-22 à 19.34.45.png.

Next, you’ll have to specify how you want to analyze your repository. Different options are possible: Local, Jenkins, GitHub Actions, etc. For this demo project, we will analyze a local repository. So select “Locally”.
Capture d’écran 2023-12-22 à 19.44.15.png

In the next screen, you’ll generate a token to analyze your project. You can adjust the validity of your token as you wish. Click “generate” once you’re done.
Capture d’écran 2023-12-22 à 19.48.01.png.

Once the token is generated, you can save it in a safe location and click “Continue”.
Capture d’écran 2023-12-22 à 19.51.39.png.

The final step is to select your build tool, i.e. Maven. Then copy the scanner command to be executed in your project directory.
Capture d’écran 2023-12-22 à 19.57.16.png

Step 4: Run the Sonar Scanner in your project

Open a terminal and navigate to the root directory of your project. Then execute the scanner command as shown below :
Capture d’écran 2023-12-22 à 20.04.16.png
After a few seconds, depending on your project size, you’ll have an output like this :
Capture d’écran 2023-12-22 à 20.05.52.png

Step 5: View your project report in SonarQube

Moving back to your Sonar Dashboard, you’ll see the analysis report.
Capture d’écran 2023-12-22 à 20.07.28.png.

This screen gives you an overview of the quality of your code. The metrics are grouped into several categories: Reliability, Security, Security review, Coverage, Maintainability, and Duplications. In the next article, we’ll take a look at each of these categories and see how to correct some of the vulnerabilities.

Conclusion

In this article, we look at integrating SonarQube into a Maven project to perform static code analysis. If you would like to use the SonarQube tool in more depth, please consult the official documentation.

In a future article, we’ll look at how to automatically launch a Sonar analysis from a continuous integration pipeline, using a tool like Jenkins.

Did you find this blog post useful? Feel free to drop a thumbs up or comment.

Happy Coding! And more importantly, Clean as You Code!

Noel Kamphoa

Experienced software engineer with expertise in Telecom, Payroll, and Banking. Now Senior Software Engineer at Societe Generale Paris.