¶ SonarQube Quality Code
¶ What is SonarQube?
SonarQube is an open-source tool used to ensure code quality in a project. SonarQube performs static analysis on source code to identify various quality-related issues, such as bugs, security vulnerabilities, and code duplication. SonarQube supports various programming languages and is used in the Continuous Integration/Continuous Delivery (CI/CD) process to consistently maintain code quality throughout the development cycle.
¶ Why we should use SonarQube?
We should use SonarQube because this tool offers many benefits in ensuring code quality and security during system development. The reasons why SonarQube is important to use include:
- Detecting Bugs and Vulnerabilities Early: SonarQube can identify bugs, logic errors, and security vulnerabilities in code even before the application is run.
- Improving Code Quality: SonarQube helps maintain code quality standards by providing detailed reports on technical debt, inefficient code, and duplicated code.
- Enhancing Application Security: SonarQube detects security vulnerabilities that can be exploited by attackers, such as SQL injection, cross-site scripting (XSS), or issues related to authentication.
- Ensuring Compliance with Standards and Best Practices: SonarQube ensures that the code written by developers adheres to coding standards and best practices.
- Integration with CI/CD Pipelines: SonarQube can be integrated into Continuous Integration/Continuous Delivery (CI/CD) pipelines, allowing for automatic code analysis whenever there’s a new commit.
- Preventing Code Duplication: Repeated code (duplication) is difficult to maintain and can increase complexity. SonarQube detects code duplication, enabling us to remove or clean up unnecessary parts promptly.
¶ How to install SonarCube?
In this case, we will using SonarCube and only running in the Visual Studio Code. Here are how to install SonarCube in Visual Studio Code:
- Go to the sidebar, then click on the extension menu.
- Search SonarLint.
- Click install.
- Restart Visual Studio Code.
- Reopen Visual Studio Code.
To make sure whether the SonarLint has been installed, please follow this steps:
- Open one of your files.
- Scroll down and if you find the code that have an orange underline, it means the SonarLint has been successfully installed.
¶ How to scan the issues?
Please follow this steps how to scan the issues using SonarLint:
- Open terminal in the Visual Studio Code, for the shortcut in Windows OS using CTRL + SHIFT + `.
- Go to the PROBLEMS tab. In this tab is the place that would inform you if any problems in your file, mostly came from SonarLint.
¶ How to fix the issues?
Here are the steps how to fix the issues:
- Click on the lamp or orange triangle icon on the left side of the issue description in the PROBLEMS terminal tab.
- Click on the SonarLint: Open description of rule … option.
- Then, SonarLint rule description would be opened as a new tab.
- Click on How can i fix it? tab
- Then, please following those steps in that tab to fix the issues.
¶ What issues can be fixed?
There are some issues that can be fixed with SonarLint:
- Code Quality Issues. SonarLint detects common code smells and best practice violations, helping you maintain cleaner and more maintainable code.
- Security Vulnerabilities. SonarLint flags potential security vulnerabilities that could be exploited.
- Code Smells. Code smells are patterns in the code that indicate deeper problems.
- Bugs. Bugs are actual or potential programming errors that could lead to crashes or incorrect behavior.
- Performance Issues. SonarLint can help detect code that could affect performance.
- Convention Violations. Following consistent code conventions is important for code readability. SonarLint can help enforce coding standards by flagging.
- Threading Issues. For applications with multi-threading or concurrency.