This is the 7th year I have been working as a QA Engineer in Solid Gear, and fortunately, I keep on working on the same Project. As all the QA Engineers in Solid Gear, we always want to innovate, and this time, I have had time enough to work on a tool that allows me to improve the code quality standards: SonarQube.
Many of you will not know what is this tool about and what is it used for, so the main purpose of this post is to answer these questions and check how this will help us improve the quality of our code.
What is SonarQube?
SonarQube is an open source platform which is mainly used to perform a static analysis of your source code. Besides, although the tool was initially thought for Java projects, it has been extended to accept extensions for other programming languages.
Static Analysis vs Dynamic Analysis
First of all, I strongly recommend to remember what the static and dynamic analysis mean, so that we all know what we are going to analyse and why it it is useful for us.
The static code analysis is the one that is performed without running the software, that is, evaluating the source code so that we can obtain information and metrics to improve our code detecting errors as early as possible, something that Scrum –the base agile methodology of Solid Gear- also advises.
However, we need to run the software for the dynamic analysis to check its behaviour at runtime. Besides, we need to pay extra attention with the dynamic analysis and have enough test cases -that will help us ensure that a portion of the code has been checked and observed- so that the behaviour we test is relevant enough to be able to give the OK to the code.
The main purpose of this application is to invest in controlling the quality of your software, so that you start analysing the code and be able to detect code smells and the main big problems as early as posible to put a solution before deploying our code into production and before reaching our customers.
First of all, we need to install a SonarQube instance. There are many online manuals so it will be extremely easy to create a clean installation of the tool.
Once installed, you can add as many projects as desired so that you can have a general overview of all of them.
Among all the features that SonarQube offers us, we can highlight the one of providing metrics with respect to:
- programming standards: each programming language has “good practices” that should be carried out when developing. Besides, following these standards, every developer can code in a “comprehensive” way for any of their workmates.
- vulnerabilities: this tool has a large database that includes typical base programming errors, code smells, security (SQL injection, sensitive data exposure, XSS,…). If you are interested in the most common vulnerabilities, I recommend you to have a look at the open community OWASP (Open Web Application Security Project) here.
- code coverage: the tool will allow you to monitor the tests coverage, so that we can check if it is good enough for our quality standards. In this way, we can invest and increase the volumen of tests of our projects.
- duplicate code: SonarQube detects parts of our code that are very similar, so that we can decouple components or refactor or code, following the DYR principle, “Don’t Repeat Yourself”
In my opinion, one of the most powerful features that SonarQube has is the ability to create quality profiles. SonarQube calls quality profiles to the collection of rules that can be applied during the static analysis of our code.
However, it also gives us the ability to create your own custom quality profiles with the rules that you, as QA Engineers, consider appropriate to include when analysing the static code of the project.
In addition, this tool also gives us the possibility to integrate it with Continuous Integration systems, like Jenkins, so that every time you commit something to your stable branch, the static analysis of your code is automatically executed, and check if the new changes have impacted in any of the metrics explained above, but we will leave the continuous integration topic for another post.