+91 9790664230
kumar.arun211@gmail.com

Gradle Project Source Code Analysis Using SonarQube

Blog to learn python and selenium

Gradle Project Source Code Analysis Using SonarQube

Source code analysis is also a software testing technique that can be used to scrutinize all code paths and data flows that a program will execute; It can be either static or dynamic. In static analysis, debugging is done by examining the code without actually executing the program. This can reveal errors, security vulnerabilities, poorly written code that will make maintenance costly and redundant code at an early stage in application development, often eliminating the need for multiple revisions later.

There are many tools available to perform source code analysis. This article is focused on using SonarQube to analyse Android application developed in Java using Gradle.

Prerequisites :-

  • SonarQube is already installed or downloaded
  • Minimal version of Java supported by SonarQube server is in use
  • Android SDK is installed
  • Gradle installed or downloaded

Installing SonarQube:-

  • Go to SonarQube community edition page and download the version you want
  • Extract/Unzip the downloaded file in location you need
  • Go to /bin folder
  • There will be different folders for different OS platforms
  • There will be sonar.sh file along with other files/folders

Run the command ./sonar.sh and this will give you usage details.

sonarqube-6.5/bin/linux-x86-64 $ ./sonar.sh

Usage: ./sonar.sh { console | start | stop | restart | status | dump }

To start SonarQube server

./sonar.sh start

To stop SonarQube server

./sonar.sh stop

To check whether the server is running

./sonar.sh status

For Windows platform, there would be different *.bat files such as StartSonar.bat etc. Execute the .bat file to start server in Windows.

This will start a SonarQube server at default port of 9000.

Open a web browser and access the page, http://localhost:9000, If you see ‘about’ page, then SonarQube is successfully started. If you have performed source code analysis for multiple projects, all the results will be displayed here grouped by project and you can choose project of your choice.

SonarQube comes with an embedded database and it is used by default. This quick setup with embedded database can be used for testing purpose and for production/real usage, please configure custom database such as MySQL, Oracle etc.

Configuration instructions and parameters are available in /conf/sonar.properties to configure the database settings. Templates are available for all supported databases.

Once SonarQube server is up and running, we can start scanning projects to initiate source code analysis.

Prerequisites to run scan for a project using Gradle :-

  • Read access to source code
  • along with SonarQube installation

Follow below steps to scan a project

Step 1 – Configure the Scanner
Though installation is automatic, certain global properties needs to be configured. A good place to configure global properties is ~/.gradle/gradle.properties. All properties should be prefixed by systemProp because we are using System properties.

Add below properties in file gradle.properties

systemProp.sonar.host.url=http://localhost:9000

#Token generated from an account with 'publish analysis' permission
systemProp.sonar.login=[token]

Step 2 – Analysis

Step 2a – Activate the scanner in your build

Add below plugin in file build.gradle


plugins {
id "org.sonarqube" version "2.6.2"
}

Note: This is for Gradle 2.1+. For more details visit – https://plugins.gradle.org/plugin/org.sonarqube

Assuming a local SonarQube server with out-of-the-box settings is up and running, no further mandatory configuration is required.

Step 2b – Run analysis

Execute gradle sonarqube from project folder and wait until the build has completed.

Now go back to the web page and check for results of source code analysis you just did.

Setting properties from the Command Line

SonarQube properties can also be set from the command line, by setting a system property named exactly like the SonarQube property in question. This can be useful when dealing with sensitive information (e.g. credentials), environment information, or for ad-hoc configuration.

gradle sonarqube -Dsonar.host.url=[SonarQube url] -Dsonar.verbose=true -Dsonar.login=[token]

A SonarQube property value set via a system property overrides any value set in a build script (for the same property). When analyzing a project hierarchy, values set via system properties apply to the root project of the analyzed hierarchy. Each system property starting with “”sonar.” will be taken into account.

Please visit this article for Maven project source code analysis.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2018 Copyrights. All Rights Reserved. Arunkumar Velusamy