Static Code Analysis leveraging Sonarqube in IBM Bluemix DevOps Services

It’s been a while since I updated my blog, infact a year !!! I know I should be more regular writing these Technical articles..hope this year has more updates from me. Anyways..

The topic today is about Static Code Analysis. In many a customer engagement on DevOps on Bluemix, I have been asked about how to do Static Code Analysis through the Delivery Pipeline on Bluemix. Well this is not something which is available out-of-the-box on Bluemix. I normally suggest Kiuwan, which me and my fellow IBMer Amano-san  had  explored and written article on same here , but most of the times customers have been using  SonarQube which is quite popular and would like to leverage the same.

Before I get into Sonarqube , just brief on what is Static Code Analysis  all about ?

Static Code Analysis is a method of computer program debugging that is done by examining the code without executing the program. The process provides an understanding of the code structure, and can help to ensure that the code adheres to industry standards.

There are wide range of tools which do Static Code Analysis and this link gives pretty good view. Sonarqube is one of the Static Code Analysis tools.

With that brief introduction , let’s get started.

First I needed  a Sonarqube Server on Cloud so that my build in Delivery Pipeline is able to talk to Sonarqube . Having played around with Docker for a while ,choosing a Sonarqube image from DockerHub was natural choice. I picked the Version 4.5.7 of Sonarqube.

The following command lets one copy image from dockerhub to Bluemix IBM Containers directly

cf ic cpi source_repository/source_image_name private_registry_URL/

I execute :

docker cpi sonarqube:4.5.7

This command basically copies the sonarqube version 4.5.7 from Dockerhub to Bluemix IBM Containers.

Now from Bluemix dashboard   I go ahead and create a Container instance and assign a public IP to my instance .Voila , I now have my sonarqube server running  and can access it at http://<my ip>:9000/  . Docker indeed makes life a breeze – I shall write more on Docker – but that is topic for another day.

Now my task was to showcase being able to run Static Code Analysis from Delivery Pipeline.I decide to leverage a Java Cloudant Web Starter Boiler Plate application in Bluemix to showcase the same.

Once application is created on Bluemix , I click on ‘Add git’ button which creates a project in for me along with the Delivery Pipeline setup.

This project is built using ant , hence I look up for info for Sonar scanner for Ant. I download the required sonarqube-ant-task.jar file and place it in lib/sonar as shown in screenshot

Screen Shot 2016-06-28 at 8.13.36 PM

Next in the build.xml file, I need to make couple of changes :

(i) Add the following properties ( Replace your IP of sonar instance in

<property name=”sonar.home” value=”lib/sonar”/>
<property name=”sonar.projectKey” value=”org.sonarqube:java-simple-ant” />
<property name=”sonar.projectName” value=”Simple Project for Ant” />
<property name=”sonar.projectVersion” value=”1.0″ />
<property name=”sonar.language” value=”java” />
<property name=”sonar.sources” value=”src” />
<property name=”sonar.binaries” value=”bin” />
<property name=”sonar.sourceEncoding” value=”UTF-8″ />

<property name= “” value =”http://<IP of Sonar Instance>:9000″ />
<property name=”sonar.jdbc.url” value=”jdbc:h2:tcp://<IP of Sonar  Instance>:9092/sonar” />
<property name=”sonar.jdbc.username” value=”sonar” />
<property name=”sonar.jdbc.password” value=”sonar” />
<property name=”ant-contrib.jar” value=”lib/ant”/>

(ii) Add Classpath and then define sonar target as below
<path id=”sonar.classpath”>
<pathelement location=”${sonar.home}”/>
<fileset dir=”${sonar.home}”>
<include name =”*.jar”/>

<target name=”sonar”>
<taskdef uri=”antlib:org.sonar.ant” resource=”org/sonar/ant/antlib.xml” classpathref=”sonar.classpath” />

(iii) Make sure you change the target build to include sonar as below

<target name=”build” depends=”build-project,sonar,build-war”/>

With these changes , we are ready to go . And yes, once you make all these changes , one needs to Commit and Push in git repo . Once that is done , we shall see that build is automatically triggered and is successful.

Screen Shot 2016-06-28 at 8.37.54 PM

One can click on ‘View logs and history’ to check details of the run as below :

Screen Shot 2016-06-28 at 9.55.08 PM

I see the sonar static code analysis is being performed as part of the build and report is published to sonarqube as below.

Screen Shot 2016-06-28 at 9.57.03 PM

There is our Sonar Report pushed from build on Sonarqube Server !  One can see that 355 lines of Java code are analyzed ,  and 5 critical issues , 38 major etc have been identified.

Screen Shot 2016-06-28 at 9.57.24 PM

One can click on issue and drill down further into what issue was as shown below:

Screen Shot 2016-06-29 at 8.10.26 PM

I hope this helps to get started with Sonarqube through Delivery Pipeline in  Bluemix.

Also as mentioned at start, one can also explore static code analysis via Kiuwan integration with DevOps.


  1. Sarang Tripathy

    Good one Smith.. 🙂

  2. I’m afraid I have fallen at the first hurdle. “cf ic” is not recognised as a command. Is that some alias or plugin?


  3. ikun

    ic is a plugin for cf cli :
    you will notice IBM mention it as deprecated, we still use it.
    In the same page, IBM provide information about its own version of cli : bx

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Bluemix HUB

The community for bluemix developers

Smith's Blog

Continuous delivery of software-driven innovation


Sanjeev Sharma: My thoughts on Cloud, DevOps, Data Strategy, and Life...

Takehiko Amano's Blog on Emerging Technologies.

My thought on DevOps and Cloud technologies

Tim Feeney's Blog on Jazz

close encounters of the Jazz kind

Dan Toczala's Blog

THINK - About what's possible....

%d bloggers like this: