Source code quality analysis is a basic piece of the Continuous Integration process. Along with automated tests, it is the key component to deliver reliable software without numerous bugs, security vulnerabilities, or performance spills.
There are many open source as well as commercial tools available in the market for static code analysis such as LGTM, PMD,Graudit, reshift, Codacy, and many more. One of the best static code analyzer you can find on the market is SonarQube.
It has support for more than 25 programming languages. Fits nicely in a CI workflow and can be easily integrated with the most popular Continuous Integration engines like Jenkins, Bamboo, Circle CI, TeamCity, etc. One of the major advantages of SonarQube is that it has Plug’n’Play feature and can be easily managed by a web dashboard.
One question that everyone should ask themselves is “WHY”. Why we need it or why we have to do it? Would it be productive for the team? What I have seen is that in the early stage of using tools like these, the most frustrated person is a developer as they are the ones who have to deliver code that meets business demands as well as looks nice. On top of that, if any of the not so important rules are not fulfilled, the build will break. On the other hand, we will be seeing that high code quality can be fun. You can spend more time on how to develop better code while other team members spend time on fixing their bugs.
So today, we are going to discuss Quality Profiles
Nobody can explain Quality Profiles better the guys who created it. So I am pasting this excerpt from sonarqube docs for convenience. Link is also provided here.
Quality Profiles one of the core components of SonarQube since they are where you define sets of Rules that, when violated, should raise issues on your codebase (an example would be: Methods should not have a Cognitive Complexity higher than 15). Quality Profiles are defined for individual languages.
While it’s recommended to have as few Quality Profiles as possible to ensure consistency across projects, you can define as many Quality Profiles as are necessary to fit your specific needs.
There is also at least one built-in Quality Profile (the Sonar way) per language. These Quality Profiles are designed by SonarSource with rules that are generally applicable for most projects.
The Sonar way Quality Profiles are a good starting-point as you begin analyzing code, and they start out as the default Quality Profiles for each language. That being said, we recommend that you Copy this profile and begin to fine-tune the contents. Why?
Default Quality Profiles are not editable, so you won’t be able to customize the Sonar way to your needs
Now let’s say there is some rule in default quality profile that developers want to ignore or quite opposite, want to add a rule which does not exist in default rules. But we already learned that Default Quality Profiles are not editable? Well, there’s a way to do it.
Let’s see how we can make our own custom quality profile using a built-in quality profile.
Suppose in my sonar analysis report I check for an issue and I want to get rid of the below-highlighted issue.
So first, I would be checking for the rule behind this issue. Let’s see how we can check that:
- First click on why is this an issue? As shown below.
- You can check the rule behind the issue as shown in the image below.
Great, now we have a rule that we have to disable from the Quality profile.
- Go to Sonar Way Quality Profile.
- Copy Sonar way Quality Profile to inherit all rules to your custom Quality profile and Give name to you custom Quality Profile.
- Now go back to your Quality Profile page and you can check that your new Quality profile is available there.
- Finally, we will deactivate the rule and after that will get rid of the issue that we had encountered initially.
- Search for rules that you have to deactivate.
- Click deactivate.
Great! So now we have created our own custom Quality Profile by using Sonar built-in Quality Profile.
Deactivating a rule is not preferred , you must fix it. 🙂
Soon I will be writing a blog on Quality Gates and how can we block our CI pipeline if the Quality Gates fail.
Thanks for reading, I’d really appreciate any and all feedback. Please leave your comment below if you guys have any feedback.
Cheers till the next time.
Opstree is an End to End DevOps solution provider