SonarQube is a fantastic open source tool suite to help you review and measure the quality of your source code. It covers a wide range of programming languages (20+), supports multiple projects and can be setup as part of your continuous integration pipeline.
In this first post, we are going to look at how to quickly set up SonarQube locally using Docker to analyse a code repository on your machine.
- You need to have Docker installed on your machine. If you don’t have it already, you can download the community edition from here.
- The next thing you want to install is Java Development Kit. This is needed for the SonarQube scanner, a tool we are going to use later to run the analysis on the source code. You can download Java SE Development Kit from here.
- The last thing you need is to set up a Docker account so we can use it to pull repositories.
Run SonarQube with Docker
You can certainly install SonarQube locally using the downloadable to get started or even set up a SonarQube server. However, to speed up the process, I recommend using Docker.
At this point you should have Docker installed and running. Open the command line and run this Docker command to pull the official SonarQube image and start the container.
docker pull sonarqube
docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube
Now you can browse to http://localhost:9000 to view SonarQube’s Web interface. From here you can manage all your projects and review the results of the analysis. Go ahead and log in using admin/admin which is the default password.
Unless you specify otherwise, when you run the container the official SonarQube image relies on an embedded H2 database that is not recommended for production environment. It is completely fine to use it locally however. You can ignore the red warning. In a following post we will see how we can use a PostgreSQL database for a production environment.
When you start SonarQube for the first time, it will walk you through a tutorial to generate a token which we will use in our commands (for authentication purposes). Make sure that you save the token somewhere safe.
Let’s go ahead and create two projects, one called dotnet-core and the other dotnet-framework as we will be analysing one .NET core project and another .NET framework project, on the mac. You can certainly do the same on Windows.
You would use the Project Management link under Administration to create additional projects.
Scan Some .NET Core Code
Since we are using SonarQube locally, we need to manually trigger a scan for the .NET project. In a continuous integration environment, this should be set up to trigger automatically so you don’t need to worry about it every time.
To analyse the .NET core project, you will need to install the .NET Core SonarScanner for MSBuild. The SonarScanner for MSBuild is the recommended way to launch a SonarQube analysis for projects/solutions using MSBuild or dotnet command as build tool. You can download it from the website and Yes you can totally run it on a Mac like I am doing.
Once you download the zip file, uncompress it and save the tool in a place that you can remember. Open the command line, and browse to your .NET core project folder.
The Begin step
This step is needed to prepare the project for analysis.
dotnet ~/Dev/tools/sonarqube-msbuild/SonarScanner.MSBuild.dll begin /k:"dotnet-core" /d:sonar.host.url="http://localhost:9000" /d:sonar.login="4b4a50a935ff0ae089d51abd2986a5057043f850"
You specify the location of the SonarQube Scanner for MSBuild, the name of the project “dotnet-core”, the SonarQube url and the login token created earlier.
The Build step
The End Step
The final command is simply to analyse the binaries and post the results to SonarQube
dotnet ~/Dev/tools/sonarqube-msbuild/SonarScanner.MSBuild.dll end /d:sonar.login="4b4a50a935ff0ae089d51abd2986a5057043f850"
Analyse the Results
Browse to the dotnet-core project and you should see the results immediately.
From here you can review reliability, security, maintainability, coverage and many other metrics about your application.
Bonus: Scan Some .NET Framework Code
If you have followed along and have the setup as described in the previous steps, you can even analyse full .NET framework applications from the mac using Mono. The commands are fairly similar. In this example, I’ll analyse a simple Console application. If you are on Mac or Linux, then you need to download Mono Binaries. Mono is also needed for the scanner tool as it is an executable (.exe).
The first step is identical with the exception of the project name and the use of mono instead of the dotnet cli
mono ~/Dev/tools/sonarqube-msbuild/SonarQube.Scanner.MSBuild.exe begin /k:"dotnet-framework" /d:sonar.host.url="http://localhost:9000" /d:sonar.login="4b4a50a935ff0ae089d51abd2986a5057043f850"
The second command is different as we will use MSBuild instead of the dotnet cli
And finally we execute the end step using mono
mono ~/Dev/tools/sonarqube-msbuild/SonarQube.Scanner.MSBuild.exe end /d:sonar.login="4b4a50a935ff0ae089d51abd2986a5057043f850"
There are many ways to run SonarQube locally to analyse the code quality. You can use Docker to get up and running in a few minutes. We’ve also looked at how we can analyse both .NET Core and .NET Framework projects on the Mac and Windows.
If you find a better way to do the scanning locally, please let me know and I’ll add your recommendations.