1. Overview
SonarQube is a self-managed static code analysis tool for continuous codebase inspection provided by SonarSource.
It’s a popular choice used by organizations to :
- Finding and fix bugs and security vulnerabilities in code.
- Analyze code with Static Application Security Testing (SAST).
- Detect a broad range of security issues such as SQL injection vulnerabilities, cross-site scripting (XSS) code injection attacks, buffer overflows, authentication issues, cloud secrets detection and much more.
- Perform branch analysis to spot and eliminate bugs.
You can read more at https://www.sonarsource.com/lp/products/sonarqube/static-code-analysis/
In this article we will look at how to add Coverage to your Spring Boot and Java application.
2. Integrating Sonarqube to your spring boot project
- Add JaCoCo plugin to your dependencies on the
pom.xml
file as follows:
<dependency>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.11</version>
</dependency>
Enter fullscreen mode Exit fullscreen mode
Work with the version of choice , you can search at Maven Central https://central.sonatype.com/artifact/org.jacoco/jacoco-maven-plugin
- Then add the following under build plugins:
<build>
<plugins>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.11</version>
<executions>
<execution>
<id>prepare-agent</id>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
<execution>
<id>report</id>
<goals>
<goal>report</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
Enter fullscreen mode Exit fullscreen mode
There is a very good post at https://community.sonarsource.com/t/coverage-test-data-importing-jacoco-coverage-report-in-xml-format/12151 that explains importing JaCoCo coverage report in XML format.
And voila, that’s all you need to do.
3. Testing
- Download and run sonarqube via docker:
docker run -d -p 9000:9000 sonarqube
Then access the dashboard at : http://localhost:9000
-
Back at your project directory run
mvn clean install
to build your code thenmvn sonar:sonar
to sync to sonarqube. -
Back at your sonar dashboard you will see your coverage info as follows:
4. Caveat
- To exclude packages or files from the coverage add them as following in the properties section of your
pom.xml
:
<properties>
<java.version>21</java.version>
<jacoco.version>0.8.11</jacoco.version>
<sonar.exclusions>**/schemas/**,**/config/**</sonar.exclusions>
<sonar.coverage.exclusions>**/schemas/**,**/config/**</sonar.coverage.exclusions>
</properties>
Enter fullscreen mode Exit fullscreen mode
Run mvn clean install
then mvn sonar:sonar
and your coverage will update. If a devops pipeline is set, just push your changes and you will see them at your sonarqube dashboard.
- You can also add the Sonarlint plugin/extension to your IDE or Code Editor to allow you catch most of the issues before you commit or build.
暂无评论内容