Where would your SonarQube be - Maven or Jenkins?

Importance of code review

The code review is a continuous inspection process that assesses the quality of a code. It is a software quality measurement approach, in which the source code is analysed in a non-runtime environment. It is included as an element of the static code analysis, where it attempts to identify the vulnerabilities in terms of code quality and security with the help of automated tools. SonarQube is one such automated continuous inspection tool.

Why SonarQube?

SonarQube facilitates the developer to obtain detailed information on the following:

• The cohesiveness of a code
• Presence of defects and inefficiencies in the code design
• Potential bugs
• Code smell
• Code duplication
• Security vulnerabilities
• Test coverages
• Code complexity

The advantages of the code review process are evident in the benefits it provides in the CI/CD pipeline process. It is important for the developers to inspect the glitches and track the improvement in the overall quality of the code to achieve impeccable release to the production. SonarQube is an efficient tool to accomplish this. SonarQube analysis can be done in CI/CD pipeline as a Jenkins integration and can also be integrated with maven as well.

SonarQube with Maven

Integration of SonarQube with Maven is attained with the sonar scanner, which is a default Maven plugin. The plugin is in the settings.xml file as:

The plugin can also be added as a dependency with the pom.xml. The following is added:

Along with the sonar scanner plugin, the profile containing the server URL of the sonar scanner is included as below:

The analysis process in Maven starts with the running of the Maven goal from the directory, where the pom.xml file is present. The process also requires an authentication token to successfully run the analysis. The following command is used:

Advantages of Maven Integrations

• Availability: integrating the sonar scanner as the plugin has the advantage of making the code review stage available in any Maven build and in the continuous integration tool.
• Flexible: it has the provision of configuring at which phase of the build cycle the analysis needs to be carried out. This can be specified as

• Module Exclusion: it is possible to skip certain modules in the Maven by defining the property in the pom.xml as follows:

However, these tools can be time-consuming during the development phase. To ensure swift enablement, early inclusion of the code review process in the CI/CD pipeline is ideal.

SonarQube with Jenkins

The integration in Jenkins offers several features that can enhance the CI/CD pipeline process. Sonar scanner can be integrated and configured in Jenkins as shown in the diagram below. Post configuration, the addition of Execute SonarQube Scanner is required as a build step in the Job Configuration. The analysis will be then carried out whenever a code is committed or at the scheduled time.

Advantages of Jenkins Integration

• QualityGate: one of the key features of SonarQube-Jenkins integration is the QualityGate. QualityGate in SonarQube is a set of conditions that need to be fulfilled to mark the project as passed. A threshold is then centered on these conditions. It has the provision of pausing the pipelining process until the QualityGate report is obtained. QualityGate report is declared as failed if it does not cross the threshold value. A failed QualityGate will ensure that the pipeline does not continue with the further stages, hence, conserving the overall efficiency.
• Centralised: a centralised database is created for all configurations related to the SonarQube server and the configurations done in Jenkins to enable the sonar scanner. It avoids the repetitive effort of configuring the sonar scanner.
• Continuous Inspection: SonarQube integration with Jenkins promotes this process. It is possible to track the improvements in the code, analyse how metrics considered in QualityGate change with each review process. The overall evolution of the code can be recorded.
• Maven build is not essential: SonarQube with Jenkins is beneficial for the codes that do not require a Maven build. This is facilitated through the installation and configuration of the SonarQube Scanner only; thereby ensuring continuous inspection and improvement of codes for other project types.
• Scheduled Analysis: SonarQube analysis can be aligned with the scheduled build triggers in Jenkins. It is possible to skip the triggered analysis due to a code commit in the Source Code Management (SCM) and instead carry out the review process before the build triggers at a scheduled time.
• Flexible: integrating SonarQube also provides the flexibility of incorporating and triggering the build actions according to the requirement of the user. Also, flexibility is evident, as Jenkins can configure the SonarQube analysis as a post-build step also.

It is reflected from the above that, SonarQube in Jenkins has several added features that can enhance the CI/CD pipeline process. While the inclusion of SonarQube in Maven build can be beneficial from a developer’s standpoint - as it has the advantage of excluding certain modules for the analysis - it also must ensure that the code performance is optimal, integrating it in Jenkins can offer several benefits. The Jenkins integration provides centralised data along with the QualityGate filter approach for triggering the build process. Dependence of the pipelining process on the QualityGate ensures the optimum software quality. Also, this approach promotes continuous inspection by providing a performance history report and the overall improvement of the code quality for each analysis. And lastly, the integration with Jenkins is sustainable, as the plugin can carry out the analysis for projects without a Maven build.