Adventures in DevOps – Static Code Analysis with SonarQube

Posted by

One of my most recent pushes is to leverage a tool called SonarQube. SonarQube is a static code analysis tool that gives you insights into things like code smells, bugs, vulnerabilities, tech debt, and code coverage. Right out of the gate on their website, they advertise themselves as “The leading product for continuous code quality”.

Static Code Analysis?

Why static code analysis at all? Well, we’re all human. We can make mistakes, we can miss problems, we can create bugs in our code, all without even realizing it. These mistakes can be minor to the point of being inconsequential, but sometimes they can be straight up disastrous. If you have, say, a payment processor that you’re coding, bugs can lead to serious immediate financial impact.

In a recent report by Hackerrank, 62.38% of the time, the biggest bug in production is “Deployed untested or broken code”. Static code analysis helps with both of these situations by shedding light on both of these, with code coverage and bug analysis. A lot of the bugs and vulnerabilities that you may have accidentally missed can be identified by a static code analysis tool. Once Identified, you can go and fix those issues before they cause any damage.

Despite not being as urgent as a vulnerability, both code coverage and tech debt can be cause for concern. Even with your application working without bugs, it can still be difficult to manage, and unstable. Metrics on code smell and code coverage are great to be able to take to a manager as leverage to address issues before they’re out of hand. It’s easy to say that some application needs to be refactored or even straight up rewritten, but it’s often hard to prove why.

Having visibility of how long it’ll take to fix your technical debt can help advocate time to do it

Static Code Analysis in DevOps

Enough on the static code analysis, what does it mean for DevOps? A key concept of DevOps is to deliver value to customers fast, which can mean deploying a lot of updates fast. That’s wonderful for a customer, but if your code is bad then that value can be hindered. Thanks for giving me a feature to let me to send another user a message, but if I hit send accidentally before typing the message, the app crashes. This is hyperbole of course, but it’s not unreasonable to think that you could miss a null check that could crash your code.

Depending on your continuous integration server, you can often integrate static code analysis quality gates into your pipeline. By doing so, you can have more confidence over what’s deployed to production, without any additional manual effort. I would usually recommend having this along with a few other manual approval gates, but it depends on what the team looks like that is involved in releasing code (if you are a one-man shop, you have different intentions than a massive enterprise).

Enter SonarQube

As I mentioned before, SonarQube a static code analysis tool that is available either as a standalone server or as a cloud provider (as “SonarCloud”). In this standalone server installation, SonarQube has support for 15 languages (which includes C#, Java, Ruby, Python and more). So, you can analyze a Java project just as you can analyze a C# project, no problem.

The project dashboard of SonarQube provides an at-a-glance view of “Grades” of multiple analytics

SonarQube can perform all of the previously mentioned analytics. To recap, this is analytics on bugs, vulnerabilities (OWASP Top 10, and SANS Top 25), code smells, tech debt, code coverage, and duplicated code. If you have the right tier, you can also do things like code branch analysis. It works great at not just performing the analysis, but also presenting it in a nice an digestible way. High level, it uses color coding and a grading scale to give you an idea of where your project stands, but you can also drill into the individual lines of code that are problematic.

You can drill into individual statistics like Debt and see exactly why things are flagged

How much does it cost? The base server tier is provided as a free and open source solution, so you can easily try out SonarQube without worrying about spending money. If you do open source projects, you can use the cloud provider for free. Paid versions of both are available, with additional features included for the standalone server.

Final Thoughts

I originally started looking for a way to consistently view my code coverage when I ran into SonarQube. After even just a short time trying it out, I realized that it did what I wanted and a whole lot more. Given the low barrier to entry and potential benefit of leveraging SonarQube, I’d recommend at least trying it out to every developer out there. You can do this either by downloading and installing the software locally to try out, or alternatively, run a docker container based on the SonarQube docker image. You might be surprised what turns up when you have a tool actually analyzing your code.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.