In order to have better visibility on the many PHP projects in place, to make production as reliable as possible and to continue the establishment of good practices, I installed the SonarQube tool on our development environment. I’ve only played with it a little so far, but on first impressions I’m quite amazed at how much it picks up. And I think it can be a very interesting tool to use and generalize within the framework of development projects.
Server Installation
The installation of SonarQube is quite simple and well described in the doc or by following this link (for Ubuntu). In summary, you need to create an empty database with a user assigned to it. Then, you have to download the archive, extract it and modify the configuration file to enter the database access parameters.
If necessary, you can also modify the port used by the web interface (9000 by default) and if you want a path beyond the server name. Then you have to remember to move the jdbc driver into the extensions/jdbc-driver folder from the SonarQube installation root.
On my side, I had after the installation a problem to launch the service the first time, but quite simply because I had made an error in the name of the base in the jdbc link towards my MySQL base.
Note that the tool is not a service by default (and will therefore not be started with the OS), but in the installation link that I give you above you will have the small manipulations to do to launch it as a service.
plugins
It is possible to add a number of plugins to the server. As an administrator you can access the list of plugins available from your installation, in Settings…System….Update center. I for my part installed the PHP, Javascript, CSS and Flex plugins which correspond to the technologies we use in our developments. I also installed the LDAP plugin to be able to manage the connection via Active Directory accounts, but I haven’t yet connected SonarQube to AD.
Installation of the analysis tool (sonar-runner)
You now have a working server, you can start analyzing your projects. To do this, you must first install the tool that will allow you to scan your projects and connect to the SonarQube server to save the data it has collected. The analysis tool is called sonar-runner and if you are on Ubuntu you can follow this link for installation details. The configuration is very simple, you have to give it the url of the web interface, the jdbc link and the user for the database.
Analysis of a project
To analyze a project, you must create a configuration file at the root of the latter named “sonar-project.properties”. You have an example in the official documentation . Basically, this amounts to giving a name and a key to the project and the path to the sources.
# must be unique in a given SonarQube instance sonar.projectKey=my:project # this is the name displayed in the SonarQube UI sonar.projectName=My project sonar.projectVersion=1.0 # Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. # Since SonarQube 4.2, this property is optional if sonar.modules is set. # If not set, SonarQube starts looking for source code from the directory containing # the sonar-project.properties file. sonar.sources=. # Encoding of the source code. Default is default system encoding #sonar.sourceEncoding=UTF-8
Once this file has been created, all you have to do is call the sonar-runner from the root of the project: sonar-runner (having previously put the access path to it in the environment variables.
Analysis detail
You have run the sonar-runner on your various projects. You will now be able to go to the SonarQube web interface to get the code quality report. The homepage will allow you to have a global visibility on your projects. Everything is configurable via widgets, on my side I put the list of projects on the left with the key indicators (number of lines of code, date of last analysis, duplication rate, number of critical and major errors), right the block diagram (with the blocks symbolizing by size the number of lines of code, and the color of the block depending on the coverage of the code).
By clicking on a project, you can then with the detail of the code quality of the latter. Again, everything is configurable by widget, for my part I have so far displayed the following information:
You have tiles that give you information:
- the number of lines of code, with the division by files, folders, functions, classes
- the overall duplication rate, and the distribution of the duplication into lines, blocks and files
- the complexity of the project using McCabe metrics
- errors classified by severity (critical, major, minor, info) and an estimate of the technical debt
- the top of the most frequent errors
- analysis history
- the classification of errors observed (maintainability, portability, security, usability, etc.)
- and a whole number of widgets that you can arrange to your taste to create the ideal dashboard
On the subject of errors, you can dive into the rules to also arrange them at your convenience to change the level of severity if necessary (or integrate development standards that would be specific to you) via the “Quality profiles” tab.
Most of the elements that you will find in the widgets are clickable and allow you to have details.
For duplication, for example, you will be able to click to go down to the level of the files concerned. And by clicking on a file you will see the code appear, with an orange bar on the side for duplicate code. By clicking on this orange bar, you will have details on the duplication (the line numbers if it is a duplication of other lines in the same file, or a reference to the file containing the same lines) as on the copy of screen below:
For errors, it’s the same thing. By clicking on the number of errors, you will have the detail. You can display, filter by languages or other criteria as here:
By clicking on an error you will have the line of code concerned highlighted, with the possibility via the “…” to have the documentation on the error and examples of code allowing you to understand what corresponds to the rule of what does not correspond .
Analysis Automation
What you may wish now is for the code analysis to be played regularly automatically.
For the moment, I have programmed a regular scan of my various projects via a cron, but it is possible to do much better. I just did a quick test with Jenkins which allows you to monitor a Git repository (see the article on Git and SourceTree on this subject ). So, it is possible to ask Jenkinsto monitor the Git repository on a regular basis and to launch a SonarQube analysis when the repository has moved (there is a SonarQube plugin in Jenkins). SonarQube also allows users to be notified by email when errors are found. In short, setting up an interesting channel, this will be the subject of an article on this site a little later.
