SonarQube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.

Prerequisite

  1. Java 11
  2. at least 2GB of RAM to run efficiently and 1GB of free RAM for the OS
  3. SonarQube does not support 32-bit systems on the server side. SonarQube does, however, support 32-bit systems on the scanner side.

Installing SonarQube server

  1. Download sonarqube community edition server package from sonarqube.org

sonarqube-download

  1. Extract downloaded file in C:\sonarqube location.
  2. Start SonarQube server by opening C:\sonarqube\bin\windows-x86-64\StartSonar.bat
  3. Allow access in the firewall if it asks for permission

sonarqube-start

  1. Open http://localhost:9000/ in your browser. You can see the starting screen from SonarQube.

sonarqube-start-browser

  1. Once started, you can see the first page.

sonarqube-started

  1. By default, System Administrator credential is login=admin and password=admin.

Analysing Source Code

Once SonarQube server is installed, now it's time to analyse our source code.

  1. Open Maven setting xml file available in %MAVEN\_HOME%\conf\settings.xml and add plugin groups and profile as below.
<settings>
    <pluginGroups>
        <pluginGroup>org.sonarsource.scanner.maven</pluginGroup>
    </pluginGroups>
    <profiles>
        <profile>
            <id>sonar</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <sonar.host.url>
                  http://localhost:9000
                </sonar.host.url>
            </properties>
        </profile>
     </profiles>
</settings>
  1. Open pom.xml of you project and add Plugin management in build.
<build>
	    <pluginManagement>
			<plugins>
			  <plugin>
				<groupId>org.sonarsource.scanner.maven</groupId>
				<artifactId>sonar-maven-plugin</artifactId>
				<version>3.7.0.1746</version>
			  </plugin>
			</plugins>
	    </pluginManagement>
</build>
  1. Build your project with mvn clean install command.
  2. To analyse the source code, execute mvn sonar:sonar. Once the build is successful, your project gets updated on the sonarqube server and you can see the results of detailed code analysis.

sonarqube-project

sonarqube-project-issues

SonarScanner also available for other popular build systems,

  • Gradle
  • MSBuild
  • Jenkins
  • Azure DevOps
  • Ant
  • anything else (CLI)

You can see how to configure Sonar scanner for your specific build system using SonarQube official documentation. https://docs.sonarqube.org/latest/analysis/overview/