SonarQube is an open platform to manage code quality.
Why another tool? Isn't PHPLint, puppet-lint, unit test, ... enough?
SonarQube is not a replacement for those tools, it is a way to improve visibility on what those tools are already reporting or it can replace some of them with its own analysis.
- Persistence: SonarQube brings persistence to you metrics, which brings a way to see their evolution over time.
- Quality Gates: Quality Gates let you define rules on what quality is acceptable. Compared to most tools, those rules can be of higher level and be aware of the history of the project. For example, we can define a rule that "Number of critical issues since last version has not increased", or "Unit tests on new code must have a branch coverage > 40%".
Most of our code has a history. Not always a happy one. We have ton of code that is ugly, but which has been working just fine in production for the last X years. Investing on that code is probably not worth it. We should instead focus on new code, on code that we touch regularly.
Proof of Concept
A good demo is worth more than any Wiki page. A PoC SonarQube instance is available on labs.
This is a PoC. It is not industrialized. It uses a crappy in memory database for its storage. Data will be lost. That being said, feel free to play with it.
- You need the SonarQube scanner installed (see link at the top of its documentation page).
- create a `sonar-project.properties` file at the root of your project:
sonar.host.url=http://sonarqube-poc.wmflabs.org/ sonar.projectKey=<ID of your project> sonar.projectName=<name of your project> sonar.projectVersion=<version of your project> sonar.sources=<path to the sources>
- run the analysis with
There are a lot more options to tune where your sources are, exclusions of some directories, integration of unit test results, ... but this should get you started.
To get faster feedback during development, there are plugins for Eclipse, IntelliJ and CLI.
Where do we go from here?
If there is any interest in moving forward, there are a few things we could do (in no particular order):
- install SonarQube on a real database
- integrate authentication with LDAP
- run analysis as part of continuous integration
- integrate analysis of unit tests
- configure quality profiles and quality gates
- integration with mediawiki/vagrant