SonarQube Tutorial | Installing and Configuring SonarQube | What is SonarQube | Intellipaat


hey guys welcome to yet another session
by Intellipaat in today’s video we’ll be learning about sonarqube it is a
software testing tool which is used to improve the quality of the code and help
fix errors very early in the development but before we go ahead with that make
sure to subscribe and hit the bell icon so you don’t miss any future updates by
us now let’s take a quick glance at what the agenda will be for today’s session
first we will see what software testing is then we will learn a bit about both
dynamic testing and static testing to see the difference between them and
learn which our tools are used for them and then we will understand what sonarqube is and what are some of its features and finally we can go ahead and
learn the installation for sonar cube and have some practice with it in
hands-on so without further ado let’s go ahead to this session now let’s start
with our first topic what is software testing software testing is a part of
software development lifecycle its aim is to ensure that the code to be
deployed is of high quality with no bugs and no logical error if you imagine
yourself as a developer making an app in a company then your job would be to
develop the code but then after it’s done being developed it sent you a
tester who makes sure that the code is of high quality with no bugs and no
logical errors he does so by running rigorous tests on that application to
make sure it’s a proper application and if there are no errors in the tests that
are found on the application code then it’s sent for deployment and if there
are errors found then the tester sends it back to the developer so that the
developer can fix those errors and then a cycle repeats until a proper
application is developed now why do we do software testing software testing is
very important while making software because we need to make sure that the
software is of high quality only then we’ll be able to have customers that are
loyal to us customers are comfortable using our
product for this particular reason 30% of the time for software development is
given for testing it is necessary that the customer must be satisfied and it’s
also important to have high quality application so that we can make sure
that the customer solely and comfortably use only our products
testing also decreases maintenance cause as it increases the quality of the code
so that in future if we hadn’t tested our code properly then an error might
have appeared and then we would have to go and solve the whole error and we’ll
take time to rework it instead of doing that if we had tested it earlier we
wouldn’t have to spend so much money and time on it and that way software testing
decreases the time and costs it takes to develop a software software testing also
helps in ensuring that the code that is produced is secure and safe now let’s
see the software testing classifications this testing type in visitors manual
testing an automatic testing manual testing is self-explanatory in manual
testing the tester tests all the test cases by himself he writes them and then
he tests them on the code but in automatic testing the tester just writes
scripts that are standardized tests that are run on the application and then
testing methods there’s static method and is dynamic method and testing
approaches this is a blackbox testing approach white box testing approach in
grey box testing approach in black box testing approach the tester doesn’t know
the internal structure of what the application is testing in white box
testing the tester does know the internal structure of the application
he’s testing but in grey box it’s kind of mixed he knows a little bit but not
that much hence a gray box device is an application whose internal structure is
known somewhat then they are testing levels there is unit testing in which
each module is tested separately then there’s integration testing in which a
set of modules when integrated are tested and then there’s system testing
in which the whole system as together is tested and then there is acceptance
testing in which the whole system is tested for acceptability whether it fits
the requirements of the clients or the customers needs now let’s move on to
what dynamic testing is dynamic testing happens during the execution of the code
it can help identify subtle defects or vulnerabilities because it looks at the
cause integration with other databases servers and services
what happens is that the developer writes the code which is then tested and
if there are no errors found that the code can go for deployment but if the
codes are if any errors are found in the code then the code is sent back to the
developer for fixing and this testing only happens during execution that means
it only happens when the code is run when after it’s been compiled and
executed it happens in a testing environment not in the development
environment or a production environment the testing environment is a copy of the
production environment in which the environment is the same this is that
this environment is not what’s going to be used when the customer is going to
use the app so we will have similar conditions we can see how the code runs
and while it’s running we will see its integration with the databases or
servers or other services whether they are held up or not advantages a dynamic
test it will find faults in specific part of the code during the execution
time some of the errors that wouldn’t be found using static testing would
definitely be found out using dynamic testing especially those related to
parts of the source code that rely on external services so when we run our
application we will find some errors that are related to the integration with
other services or other databases like we said earlier in that case it’s much
better than static testing but normally in software testing we use both static
testing and dynamic testing to see how the application holds up examples of
dynamic testing tools are selenium Catalan and Casper Js these dynamic
testing tools are used to write standardized scripts that will then run
on the application code to make sure whether it runs properly or not static
testing it is a method of debugging by examining the source code before program
is run that is the test code without actually executing it it does so by
analyzing the code against a preset of coding rules and ensures that it
conforms to the guidelines what happens is the developer writes the code and
while he is writing a code a static testing tool reads through the code and
then it analyzes the code enough is done like if there is an error found then it
forms a developer about it that the developer can fix it right there and
there itself now static code analysis there are many tools which help in
static testing and provide us with the analysis for better comprehension like I
said before what static testing tool does is it takes the code while it’s
being written and it performs an analysis on it if we took an example of
sonarqube what happens is that while the developer is writing the code sonarqube goes through the code and based on a set of rules that are already
predefined it sees whether the standards of testing are performed or not suppose
in my team in my developing team we have some, some standards that are set by the
team lead if you want to make sure that these standards are met we use a static
testing tool which will then in the end after all the code is written give a
comprehensive analysis to the developer who can then read it and then
accordingly make changes to his code this testing only happens during the
development in dynamic testing the testing happened during the execution
static testing is an only testing which is not exactly done by the testers and
is done by a static testing tool your normal IDE’s can do it too but a tool
like Saonarqube does it in a much much more comprehensible way and it has many
features that we can exploit now let’s see what are the reasons to use static
code analysis the first reason finds errors early in
development it basically helps us find errors very early in development before
the product even goes into production and because of that it becomes more
cheap and easy to fix them now instead of fixing an error that has been way
down the production line we can just fix it early on and not cause a lot of money
and time to be wasted on it detects over complexity in code it helps detect if
the code is written in a very complicated matter even though it can be
written very easily now sometimes the we as Developers think that we should
write something in a much more complex way because it entices us but sonarqube
or another static code analysis tool will identify that
code has been written in a more complex method and will suggest a more simpler
method for it now it’s not always necessary that the developer wishes to
write the complex method it could be the reason that he doesn’t know how to write
the simplified method for it even in that case the static code analysis tool
will suggest a more simplified method to write the same code find security errors
it helps pick up security errors which basically means it helps the source code
be more secure when it is deployed whenever the developers writing the code
the tool helps us understand whether there are any security issues with the
code by writing like for example if you have written a password and a username
inside the code in the text format they – we can understand this it helps pick
up security errors which basically means it helps the source could be more secure
when it is deployed whenever we writing the code there’s a chance that we might
write the username and the password in the code instead of injecting them
into the code so the static code analysis tools will identify this and if
it tells us about it so that we can fix our mistake and forces best coding
practices developers may forget to follow best practices specific to a
coding language it can help solving in that issue so what happens is sometimes
developers do not follow best practices that is specific to a code language
suppose you’re writing C++ and there are some standardized practices that have
been followed that have to be followed by writing C++ but the developer doesn’t
follow them so the tool will identify that and report it as an issue so that
we can fix it automated and integrates in Jenkin it can be a waste of time to
regularly ask the testing software to test the code therefore to solve such a
problem we integrate the static testing tool with Jenkins now when you’re
writing a code it could be very annoying to keep on clicking on test the code
to solve such issue what we do is we integrate our software static testing
analysis tool inside Jenkins so that we don’t have to click on test it test our
code again and again it will do it by itself can create project specific rules
they allow us to write project specific rules we can customize these rules for
each specific project to when we work in a company or when we’re working with a
team our team League tells us that there are some specific rules you have to
follow for this project we can configure these specific rules using our tool
whenever the developer or we are writing the code the tool will identify whether
we’re following these rules or not if we aren’t then it will raise it as an issue
and we can customize these rules specifically for each project also for
different project they can be different kinds of rules that the team or the
company wants us to apply some examples of static testing tools are sonarqube
the one we’re going to learn Coverity and pycharm now let us try to understand
what technical debt is it can help us in solving issues that are related to
software testing technical debt directly translates as the implied cause for
additional rework that can occur if at an early stage and easy but not an
efficient solution is chosen in future the easy code may restrict scalability I
imagine you are a developer and you write a code with a complex solution to
a problem and then you send it for deployment you can do this in two ways
you can either write an easy solution or a complex solution and then send them
for deployment but there’s a chance that the complex solution that you have
written after some time can allow for easy expansion but the easy solution
that you found early would not allow the same in better terms if I gave an
example to you if I was working in a company as a developer and I thought
that this problem a problem that occurred has two kinds of solutions a
complex solution and an easy solution now I go for the easy solution because
it costs me less time to write the easy solution because it’s easy instead of
writing the complex solution that will take time after I write the easy
solution it goes for deployment and it
successfully deploys but in future when the company wants to
scale this easy solution that I took earlier will not allow them to scale it
will cause errors it will need rework so then more time and energy will be spent
and even more cost with this pen to fix that issue this is what’s technical debt
basically means is the depth we imply on a company when we choose an easy
solution instead of going for the complex solution it’s a debt that
because errors later the more depth we collect the more
amount of costs for additional rework we’ll need to spend in future a static
code analysis tool can also identify how much amount of technical depth a person
is acquiring when he writes his code now let’s see what sonarqube is as you may
have already guessed sonarqube is the static analysis code – it basically goes
through a developer’s code and identifies errors in at an early stage
it’s an open source static testing analysis software it is used by
developers to manage source code quality and customs consistency some of the code
quality checks are potential bugs code defects to design inefficiencies code
duplication lack of test coverage excess complexity potential bugs is easy to
understand code defects to design inefficiencies basically means that when
we write a code and it’s not very design specific or it’s not very compatible
with the design or the structure of the application we going with then it can
cause a lot of inefficiencies code duplication code duplication takes a lot
of memory to resolve that the tool helps us lack of test coverage which means
that sometimes there aren’t enough tests written for a specific code excess
complexity like I said earlier so now Q can identify sometimes a solution that
is written in a much more complex way and then suggest an easier solution for
it now let’s discuss what are the features of Swan RQ it can work with 25
different languages as you can see the examples given here
can work with java.net jeaious cobol PHP Python C++ Ruby Kotlin and Scala one of
the features are Sona tube is to identify tricky issues and they can be
many different types of tricky issues and we will go through them here detect
bugs so nonk you can detect tricky bugs or can raise issues on the pieces of
code that it thinks is faulty it basically means that sometimes at bugs
that the coder can’t understand early can be identified
using sonic u code smells good smells are the characteristics of a code that
indicates that there might be a problem caused by the code in future but smells
aren’t necessarily bad sometimes they are how a functionality works and there
is nothing that can be done about it this means that sometimes when we write
code it can mean that we do not use the best practices or we do not keep the
best practices in our mind when we write the code and this may cause problems in
future it’s kind of like technical depth if you don’t write the code properly
then we might have future problems errors that may come in future but code
smells aren’t always a problem they sometimes the only way we can write
a code and then sometimes the only thing we can do and there’s nothing we can do
about it security vulnerability so not you can detect security issues that code
may face if a developer forgets to close an open SQL database or if important
details like user name and passwords have been dedicated in the code then so
not you can identify these things because leaving a SQL database open can
cause issues in the source code and you definitely do not want to write the
username and password directly into the code you would want to inject them
because if the website or if the application is hacked then the other
person that is hacking the application can figure out these details and then
access into more Company applications and cause a lot of damage to solve this
sonic you can identify these errors or these issues early in development when
the coder is writing the code activate rules needed you can create and
maintain different sets of rules that are specific to particular projects
these are known acts quality of profiles this basically means that when like I
said earlier if a person or if the team has some standard rules that it once you
follow or some specific rules specific to different projects or specific to a
particular project that it wants to enforce then it can create that as a
quality profile in sonarqube and when the developer is writing a code in
future these quality profiles will be tested against the code that he’s
written in case if he is not following these quality profiles then the sooner
key will inform him about it execution path whenever there is data
photo in your program and there’s a lot of involvement between the different
modules so not you can figure out if there are any tricky bugs in these
execution paths now when a company works on an application they’ll obviously have
a code pipeline a data flow in the program so not Cube when it gets
integrated with Jenkins or any deployment tool it works by itself it
keeps on looking for errors by itself sometimes sonic you can figure out
tricky bugs there are in these pathways suppose an error that depends on a
module that is way back in the code pipeline or way back in the data flow in
the program then can figure out the integration error that happens between
these another feature of sonotube is enhanced workflow ensuring better see
ICD automated code analysis keeps working in the background from the
development phase itself and monitoring and identifying errors
so not you can be automated by integrating it with a deployment tool or
an integration tool and it will keep on working by itself in the background
identifying all the errors the code smells technical depth by itself and
basically monitoring the health of the program get access through web hooks an
API to initiate tests we do not need to come to sonar cube directly we can do
that through an API call if you do not want to install solar tube directly you
can use an API or a web hook to call it and test your program
integrate github it can be directly integrated with your choice of version
control system which is mostly going to be github so now you can be integrated
with the github and then it can find errors in the version of the code you
are using or the koriya developing analyze branches and decorate put
requests it gives us a branch level analysis that is it doesn’t just analyze
the master branch it also analyzes the other branches identifying any errors
with it so suppose we have a master branch with a lot of feature branches
then it can identify related errors or any errors in either of the branches now
the last classification of features of sonikku that is built in methodology
discover memory leaks it can show the memory leak in your application if the
application has a tendency to fail or go out of memory this generally will happen
slowly over a period of time good visualizer it has a good view of
visualizing it gives simple overviews of the overall health of the code now after
the coder has been developing the courses on time a proper report of how
the core is been performing can be created by the sonar queue and it will
be presented on the dashboard so the team lead or the developer himself can
go through it which will tell him about all about the number of bugs he has the
number of technical depth days he has the number of code smells or any
security issues that are there it will let him know about it and forces a
quality gate it can enforce quality gate you can tell
sonarqube based on your requirements and practices
what code is wrong and what is correct like I said earlier with quality
profiles you can have quality gates in which you can tell sooner queue based on
what all your requirements are there based on our features and based on what
kind of practices your team follows or your company follows you can tell
sonarqube which code is wrong and which is correct
it doesn’t necessarily have to be the standard basic practices or standard
rules it can be the ones that you have developed on your own digs into issues
if it shows that there is a problem sonar queue allows you to go and
directly check it out from the summary report or from one code file to another
now when you go in through the summary in the sonarqube dashboard and if you
see an error you just click on it and fly directly take
you to where the code is and we’ll give a brief summary of what the problem is
in that code plug-ins for IDE s it has a plug-in called sonar length which helps
sonar cube to integrate itself with an IDE which means there is no need to
install the whole sonarqube package now if you’re working with some kind of IDE
then you don’t need to necessarily install so not cube separately you can
just install its plugin that is so not learnt and will perform all the same
things now that we have understood what sonar cube is and why do we need to use
it we can move on and learn how to install solar on cue and then have some
hands-on practice with it now let’s see which all steps we have to take to
install sonar cube first we will install docker and then using docker we will
pull this latest sonar q image we’ll be using this method since it’s much easier
to do it and it gives you a little bit practice with docker also and then we
will set up the sonarqube on the browser and then we will download a sample code
and analyze it using sonar q that’s a part of the hands-on now let’s move on
see what are steps we have to take to install docker first we will start our
instance now after you login into your Amazon it was console go over here click
on launch instance then go to the AWS marketplace and type send to us
click on the first one see like that Center was 7 continue we’ll be using t2
dark medium since our requirement needs at least 2 GB of RAM configured as
storage let’s add a security rule all TCP so anyway review and launch so after
you are done configuring your security details you can go ahead and click on
launch it will ask you for selecting your key pair which you can go and
create a new one if you don’t have one or you can proceed with choosing an
existing one since I already have one I’m going to choose that one and I’m
going to click on acknowledge and launch instance
then just scroll down and view your instances and the one that you have
created will be at the top click on that and copy its IP address we’ll wait for
it to get initialized and started before we open the instance now to use this
instance we’ll have to use a tool called put it over or you can SSH into it since
this is easier for me I’ll just use the putty to browse put my key in now if
your instance is ready if it’s running you can go ahead and launch it click on
yes and login as send os now let’s make this a little more visible for you guys supply clear wait let’s increase the
font size also Dean this is much more visible for you guys
let’s take a quick look on how do we have to install our docker since it’s
via using Centaurs the method of installing docker is a bit different
okay for this we have to go to the website and we have to go to the docker
website have to talk about now to get the docker we need we will
click on explore and in Explorer we will click on dr. doc red double D and scroll
down and this is the one we need docker enterprise center voice click on that
and start your one-month free trial this is just for us getting acquainted with
docker enterprise since I have already downloaded before I’ll have to come over
here and click on my content and click on
and find this link now if you downloading it for the first time in
that page itself you can find this link and if you can’t just come over to your
username click on my content and setup and in that you will find this link all
right copy that link and I paste it pasted click on seven over here come
back click on 86 64 and click on stay with 18 point oh nine and then packages
and we need three files out of here we will need this file container dot IO we
will need docker EE 18 point zero nine CLI 18 point zero nine
right click copy the link address of the latest version come to your instance
type let’s go into the root we are inside the root now be accessing it as a
root then used obligate command and paste the copied link present we do not
have W gate in this if you do not have W type p.m. install to get now we use W get to get links up in need
to relieve the commander will get and right-click this will paste our link and
press Enter and as you can see it’s downloading the
file via this we can see that it’s been downloaded now let’s do the same thing
for the other two files to come down click on the latest version right click
it copy the link address use the double gate command paste the link press Enter
let’s copy the third files link address well time this gets done duplicate paste
the link press Enter 50 sellers we can see all the three
files that we need downloaded now let’s go ahead and install them we use yum
install container riding gonna paste this here give space
the space okay I’m gonna present
and install these packages yes this will install your docker file for
you and once that done let’s make sure that
we have installed our daughter properly so we’ll use the system CTL c’mon
systemctl status docker it shows that docket our service is loaded but it’s
inactive so let’s make it after system CDL start docker this should
start dr. and let’s check its status again systemctl stages docker and as you
can see dr. is now active let’s clear the screen now that we have docker installed and
active let’s see what the next step will be our next step will be doing pull this
one our cube image from the using docker prototype docker bullet sonar cube
latest this will download the sonarqube the
latest sonarqube image from the remote repository okay now that we will install the image
let’s just make sure we have installed the program it is and yes we have
installed this on our cube image now let’s start the darker soon our cube
image container run – D
we’ll be sonarqube itself then we’ll put the court number as 9,000
and the name of the image is so not cute latest use dr. PS to see if sonarqube is
running as a container and as we can see our sonar Cube is running had the port
9000 axis so knock you will have to go back to the browser and I will have to
take the IP address of the instance were using since that’s where we started at
ocarina paste it and type semi colon 9000 the port address and press Enter if
you’ve done everything correctly your sonarqube should be running properly
right now now we have completed our installation of sonikku let’s move on to
the hands-on so let’s see what all the steps we have to follow install git and
clone the sample project from the given link
so first we’ll install git in our instance and then we’ll download a
sample project now we’ll need this sample project to see how soniku works
let’s start by installing gate we’ll head on to our instance and we’ll type
young and stall gate and now we have good installed
near the screen we’ve come back to the PowerPoint copy this link of the project this is the sample project we’ll be
using it’s a web app so let’s clone it come back to our instance use the git
clone command paste the address of the repository and press ENTER and see we
can see that it is now cloning the repository into our instance so that we
can use it now that we have cloned a repository
fearless we can check that yeah see that Kenny will see into it so we have cloned
our repository now we’ll come back to this later we’ll head on to the website
and see how to set up a sonarqube we’ll login the default login username and
password is admin for both of them press enter it will login for you click on
create new project project key can be anything with right sample move ahead
set it up generate a token also anything can be a token is used to identify you
when an analysis is performed if it has been compromised you can revoke it at
any point of your time in your code in your user gone let’s generate it now we
have this code we will store it for later we’ll copy this continue what is
your projects mean language you can choose which is the main language of
reusing since I’ll be using Java click on Java and you’re developing primarily
in Java what is your building technology since
there are many build tools you can decide which one you want to use I’ll be
using maven so I’ll click on maven execute the scanner for the maven from
your computer we’ll be using this command to execute our project for that
we’ll need maven – let’s go ahead and install me then remember how to install
me then you have to go to the website you can’t download copy the link of the
Apache maven 3.6 point to file copy the link address come back here CD into opt
and use the duplicate command paste the link of our file press ENTER as we can
see it’s been installed and since its file that comes installed already we do
not have to go ahead and install it again we just have to want our the file
the commander will be using a star that excels Apache maven Center and then we
have our Apache maven folder we’ll CD into it let’s pin see if it’s working so
form even we need Java so to install Java we’ll be using the command yum yum
install Java one point 8.0 open JDK devil he yes please
now that we’ve installed Java we can go ahead and see if our even is working
properly or not yes it is working properly
let’s clear the screen now before we can go and compile our sample project we
need to make sure that maven is available to all of the operating system
not just from this specific location for that we’ll need to use the command
export and the environment available path we will set the path in such a way
that all of the words we’ll be able to use maven dollar that’s opt fashion
maven slash bin now that we set the environment variable we can go ahead and
try and compile our sample project see here’s the screen now one more thing
before we go ahead and compile a project we need to set the metadata for soon our
cue that we’ll be using with this sample project see see unless since I have already clear
did that file I don’t have to create it but if suppose you were creating a
project and you didn’t have this file then you’ll have to create this file so
in our project dot properties let’s go into it
soon our project dot properties and these are the details that we entered
like the Sona project key the project name the project version what kind where
the sources were kind of language you’ll be using and what kind of UTF coding or
what kind of source encoding of using in this case is you give a this file is
basically used for configuring all the metadata that they require so let’s save
it and come out now you go ahead and compile a project
and being compiled is the command use for that presenter combined the project the build is
successful and now let’s go ahead and use the
command that sonar Cube told us to use that is this command after you’ve said
all these details for running this on our cube analysis we’ll be using this
gun copy from here you Nanaki was analyzing the files now that succubus analyze the fans we
can go ahead and look at our sonar cube in the browser
sample project and after you click on a sample project it gives you an overview
of the health of the project we have 140 bugs
we had 12 vulnerabilities zero security hotspot we have two days of technical
depth and we have 231 cold smells and 63.4% duplication and it shows us the
percentage of coders even use CSS 8.1 javascript 46k the lines of code and we
can go and check many things using soniku we can look into the issues
directly as we can see you remove the unused import or dot show that or time
dot T time this is violating a rule and this is a code smell so if you want to
go and fix it we can directly click on it and it will dig into the shoe like we
talked about earlier it will dig into that issue and we will come over to
where the code is and we will see the error the code smell that is over here
like how we check out this code smell I can go back and check any kind of thing
we want any kind of issue under the type we can check the number of the bugs we
have the number of bugs over here the vol number Wellner abilities we have the
code smells and it tells us with its minor odd major and we can go ahead and
measures this will give us a graphical representation of all the things you’ve
done although all the analysis that’s been done on the sample project overview
of the reliability how reliable the code is security overall security of it
maintainability and etc like coverage duplication size complexity and issues
we can go ahead and stick the code out directly from here itself you can click
on the pond or external file that’ll open and we can check the activity this
is where all the historical data will be stored like pitch all versions to be
used and what are the issues that were solved and etc and on the administration
we can set our quality profiles the one we want to use defaults on our way or we
can go and create our own quality gates based on what we want here we can set
whichever quality gave we want to use but if you want to create those quality
profiles we have to go over here here we can choose whichever quality profile you
want to choose for whichever language you want to choose and we can go to
quality gate and create our own quality if you want using this and that’s all
for sonarqube and if you click on projects it will
show you a list of projects over here since we have only one project this is
the only project it’s talking about and it shows overall health over here so
it’s a good administrated build tool which can be used by integrating to
Jenkins or any other deployment tool now that’s all for sonarqube this brings us
to the end of the video if you have any queries leave a comment below and we
will get to you at the earliest thank you for watching

5 Comments

Add a Comment

Your email address will not be published. Required fields are marked *