In the past year as a Technical Leader at Santander I have seen several a lot of code challenges submitted by applicants. All of them were small apps with one explicit requirement. Submit an app that makes you are comfortable to put in production.
Most of these apps where written in Java, others in Node.js and a few in Kotlin. And most (if not all) of them, shared a single missing point. Static Code Analysis.
Submit an app that makes you comfortable to put in production.
Static Code Analysis
So what is Static Code Analysis and why it’s important for production-ready software development.
Static Code Analysis, a.k.a. Source Code Analysis, is a type of analysis that addresses weaknesses that may lead to vulnerabilities. It automates a task that can be done in a deep code review, but also allows a much richer analysis. For example, duplicate code detection, coverage and quality of unit tests, bad practices, known vulnerabilities, etc.
There is such thing as Dynamic Code Analysis, in contrast to Static, and the main different is when this analysis is done. Is Dynamic the analysis is done after the program runs (during testing, for example) and in Static it is done before (unit testing and source code).
The best thing about Static Code Analysis is that it’s super easy to integrate in your development processes, either in a CI (Continuous Delivery) or a Git Hook (pre-push, for example).
Straight to the point
We will see in this post how to add a Maven task for a Java project, and do some Static Code Analysis using SonarQube Community Edition. No fancy hardware is needed, no cloud computing or VPS, just your machine which should be able to run SonarQube locally using Docker.
Adding SonarQube to a Maven project
First of all we will add the Jacoco and Sonar plugins to the project’s pom.xml.
<plugin> <groupId>org.sonarsource.scanner.maven</groupId> <artifactId>sonar-maven-plugin</artifactId> <version>18.104.22.1681</version> </plugin> <plugin> <groupId>org.jacoco</groupId> <artifactId>jacoco-maven-plugin</artifactId> <version>0.8.6</version> </plugin>
Also, we will add Maven Compiler Plugin (if it’s not already present)
<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-compiler-plugin</artifactId> <version>3.8.1</version> </plugin>
At the project’s level we will add a profile.
<profiles> <profile> <id>coverage</id> <activation> <activeByDefault>true</activeByDefault> </activation> <build> <plugins> <plugin> <groupId>org.jacoco</groupId> <artifactId>jacoco-maven-plugin</artifactId> <executions> <execution> <id>prepare-agent</id> <goals> <goal>prepare-agent</goal> </goals> </execution> <execution> <id>report</id> <goals> <goal>report</goal> </goals> </execution> </executions> </plugin> </plugins> </build> </profile> </profiles>
SonarQube will perform static code analysis based on some output files that Maven will produce when running a specific task, but prior to that, we need a working SonarQube Server.
Then pull the latest SonarQube image, and bind the internal port 9000 to your local machine port 9000.
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
Once it completes successfully, open your browser and login into http://localhost:9090 with the default credentials:
- login: admin
- password: admin
Create a new application and register for a Project ID and a Project Token. For more information about this, check this quick guide.
Putting all together
Once your application is created in SonarQube dashboard, and you have a valid token, run the following maven task.
mvn clean verify sonar:sonar -Dsonar.projectKey=<ProjectID> \ -Dsonar.host.url=http://localhost:9000 \ -Dsonar.login=<ProjectToken>
Where <ProjectID> and <ProjectToken> where just created. When the target finished executing, you will see the link to your project’s report on the output.
ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard?id=com.project
You will see in your project’s dashboard information about your code quality similar to the one in the following screenshots.