Static Code Analysis leveraging Sonarqube in IBM Bluemix DevOps Services
It’s been a while since I updated my blog, infact a year !!! I know I should be more regular writing these Technical articles..hope this year has more updates from me. Anyways..
The topic today is about Static Code Analysis. In many a customer engagement on DevOps on Bluemix, I have been asked about how to do Static Code Analysis through the Delivery Pipeline on Bluemix. Well this is not something which is available out-of-the-box on Bluemix. I normally suggest Kiuwan, which me and my fellow IBMer Amano-san had explored and written article on same here , but most of the times customers have been using SonarQube which is quite popular and would like to leverage the same.
Before I get into Sonarqube , just brief on what is Static Code Analysis all about ?
Static Code Analysis is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards.
With that brief introduction , let’s get started.
First I needed a Sonarqube Server on Cloud so that my build in Delivery Pipeline is able to talk to Sonarqube . Having played around with Docker for a while ,choosing a Sonarqube image from DockerHub was natural choice. I picked the Version 4.5.7 of Sonarqube.
The following command lets one copy image from dockerhub to Bluemix IBM Containers directly
cf ic cpi source_repository/source_image_name private_registry_URL/ destination_image_name:tag
I execute :
docker cpi sonarqube:4.5.7 registry.ng.bluemix.net/smith/ sonarqube:4.5.7
This command basically copies the sonarqube version 4.5.7 from Dockerhub to Bluemix IBM Containers.
Now from Bluemix dashboard I go ahead and create a Container instance and assign a public IP to my instance .Voila , I now have my sonarqube server running and can access it at http://<my ip>:9000/ . Docker indeed makes life a breeze – I shall write more on Docker – but that is topic for another day.
Now my task was to showcase being able to run Static Code Analysis from Delivery Pipeline.I decide to leverage a Java Cloudant Web Starter Boiler Plate application in Bluemix to showcase the same.
Once application is created on Bluemix , I click on ‘Add git’ button which creates a project in hub.jazz.net for me along with the Delivery Pipeline setup.
This project is built using ant , hence I look up for info for Sonar scanner for Ant. I download the required sonarqube-ant-task.jar file and place it in lib/sonar as shown in screenshot
Next in the build.xml file, I need to make couple of changes :
(i) Add the following properties ( Replace your IP of sonar instance in sonar.host.url/sonar.jdbc.url)
<property name=”sonar.home” value=”lib/sonar”/>
<property name=”sonar.projectKey” value=”org.sonarqube:java-simple-ant” />
<property name=”sonar.projectName” value=”Simple Project for Ant” />
<property name=”sonar.projectVersion” value=”1.0″ />
<property name=”sonar.language” value=”java” />
<property name=”sonar.sources” value=”src” />
<property name=”sonar.binaries” value=”bin” />
<property name=”sonar.sourceEncoding” value=”UTF-8″ />
<property name= “sonar.host.url” value =”http://<IP of Sonar Instance>:9000″ />
<property name=”sonar.jdbc.url” value=”jdbc:h2:tcp://<IP of Sonar Instance>:9092/sonar” />
<property name=”sonar.jdbc.username” value=”sonar” />
<property name=”sonar.jdbc.password” value=”sonar” />
<property name=”ant-contrib.jar” value=”lib/ant”/>
(ii) Add Classpath and then define sonar target as below
<include name =”*.jar”/>
<taskdef uri=”antlib:org.sonar.ant” resource=”org/sonar/ant/antlib.xml” classpathref=”sonar.classpath” />
(iii) Make sure you change the target build to include sonar as below
<target name=”build” depends=”build-project,sonar,build-war”/>
With these changes , we are ready to go . And yes, once you make all these changes , one needs to Commit and Push in git repo . Once that is done , we shall see that build is automatically triggered and is successful.
One can click on ‘View logs and history’ to check details of the run as below :
I see the sonar static code analysis is being performed as part of the build and report is published to sonarqube as below.
There is our Sonar Report pushed from build on Sonarqube Server ! One can see that 355 lines of Java code are analyzed , and 5 critical issues , 38 major etc have been identified.
One can click on issue and drill down further into what issue was as shown below:
I hope this helps to get started with Sonarqube through Delivery Pipeline in Bluemix.
Also as mentioned at start, one can also explore static code analysis via Kiuwan integration with DevOps.