SonarQube static code analysis setup tips

Writing quality coding is always important and most important is to validate same code, is it really quality coding? And there are multiple tools/options which can help you to scan your code base and help you to know quality of your code and suggestions to fix.

One of option is to use "SonarQube" static code analysis to do it for you. Today I will share few tips on doing setup SonarQube free open source edition for your code base.

• Community edition does not support pull request analysis, instead you can setup this for you main/master branch and then you can configure CI pipeline to trigger scan whenever code merge/push to main/master branch.
• I will recommend to use "Ubuntu" instance for SonarQube instance instead of Linux and reason is because you may face fit installation error as per SonarQube documentation with Linux but same work with "Ubuntu".
• Document ref: https://docs.sonarqube.org/latest/try-out-sonarqube/
• For running SonarQube instance, few minimum setup is require is like max map count (member), no. of files and to apply that change permanently to your "Ubuntu" instance, use below steps. Although you can setup this for your current session also but whenever system reboot, then it will not work.

#update minimum no. of files and thread limit to use/open by sonar qube user

sudo nano /etc/security/limits.conf

#Insert below line to file and save (CTRL+O, CTRL+X).

sonarqube   -   nofile   65536

sonarqube   -   nproc    4096

#Update max_map_count (memory):

sudo nano /etc/sysctl.conf

#Insert below line to file and save (CTRL+O, CTRL+X).

vm.max_map_count=262144

• Once you finish the installation/setup of SonarQube, then to start stop SonarQube services, you use "./sonar.sh start/stop" command and also you run this command with SonarQube user you used for installation/setup. So its better you configure/setup systemctl for SonarQube, so that you able to run even by root user or other user. And by doing this it also help to enable auto start/stop service on system reboot and you do not need to manually start. Follow below steps for the same:

#Make sure you first stop SonarQube and to stop this:

#SonarQube installed path

cd /opt/sonarqube/bin/linux-x86-64/

#Run the script to start SonarQube

./sonar.sh stop

#Exit from sonarqube login user

exit

#Now create a systemd service file for SonarQube to run as System Startup.

sudo nano /etc/systemd/system/sonar.service

#type below content and save file. Note - make sure you update below user and group value as per ubuntu user and group you created above.

[Unit]

Description=SonarQube service

After=syslog.target network.target

[Service]

Type=forking

ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start

ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop

User=sonarqubeuser

Group=sonarqubegroup

Restart=always

LimitNOFILE=65536

LimitNPROC=4096

[Install]

WantedBy=multi-user.target

#Once above file saved, then to start the Sonarqube daemon by running:

sudo systemctl start sonar

#Enable the SonarQube service to automatically  at boot time System Startup.

sudo systemctl enable sonar

#check if the sonarqube service is running,

sudo systemctl status sonar

• SonarQube UI run on default port "9000" and make sure this port is enabled as inbound rule into your security group / firewall.
• When you add project on SoarQube for scan, it give you few cmd commands which even you can use to trigger scan from your local system, just that you make sure you have access to SonarQube url and have token to use with command to trigger. You will find command with project during setup:

To run above given command, Open CMD, navigate to respective project solution file location and then run commands one by one,

• where first command you just need to use first time only.

• To "add next/new project", you do not require to add project from SonarQube UI, sure you can do it from UI, but same you can do by using same command just that change the project name with command and run all same commands from new project/directory location.
• When you add project for Scan, by default it use SonarQube inbuilt profile where if some rule you want to remove/disable, then that you cannot do. Recommended to create new profile by coping exiting inbuilt and then apply with you project.

• And to apply this new custom profile, go to your project and from project setting menu, select "quality profile" option and there you change/apply the profile you created. Note - analysis of new profile will apply on next scan run.

• To auto trigger SonarQube scan on every new commit/code-push to main/master branch, you can put same commands you used above for manual trigger on your CI pipeline. With below screenshot, I have created Azure pipeline for the same: