What is Sonar?
- Natan Ferreira
- 0
- 35
It’s a code analysis tool that helps in writing clean and secure code.
Writing clean and secure code is a challenge. While manual code reviews are an option, leveraging a code analysis tool like Sonar is an excellent idea. This allows us to maintain clean and secure code, gaining several advantages:
- Lower maintenance;
- Rework less;
- Minimize Risks;
Some companies that use it include
Support
Sonar products
There are three Sonar products that we can use, and they all share the same goal of identifying issues to keep the code clean and secure:
It is installed in the IDE and performs real-time code analysis directly within the IDE to identify issues.
It can be installed on the company’s server for teams to use and can be integrated into the pipeline.
It’s a cloud-based solution that can be integrated into the pipeline.
In this article, we will explore SonarLint and SonarQube.
Quality Gate
It indicates whether the code has reached a standard good enough for release. Green means it’s good, and red means it needs adjustments because it’s not good enough for release.
Image representing code ready for release.
Sonar Flow
I’ll summarize the workflow.
While coding, the code can be analyzed in real-time within the IDE, as shown in the flow. After pushing to the remote repository, the pipeline runs, and the code is analyzed in SonarQube or SonarCloud. The Quality Gate checks the code quality. If it doesn’t meet the quality standard, the task goes back to the developer for necessary adjustments. After the adjustment and another push to the remote repository, another analysis is performed. If it now meets the quality standard, the code can proceed to production.
Sonar Lint
In the following example, I demonstrate how to install SonarLint in IntelliJ.
In my case, I already have it installed.
It resides in the upper right corner and also underlines the code when it detects any issue.
Clicking on the icon provides more information about the issue, including examples of how to resolve it.
After resolving the issue, the icon turns green, indicating that everything is fine in this file.
Sonar Qube
The installation is simple, and for testing purposes, it can be done using Docker. After installation, it’s necessary to create a project, and through the command line, we can send the code for analysis.
Example of usage in SonarQube
After the code analysis, we can identify the issues.
Clicking on the issue provides more details.
Monitoring
We can also monitor the quality.
Security
It’s essential to note that the OWASP project is present in Sonar, which is crucial for promoting secure code.
Updates
In recent versions, there have been changes in issue types and severity.
Conclusion
The use of Sonar greatly helps in building clean and secure code. This brings many advantages such as less maintenance, rework less, minimizes risks, and ensures code security and readability. Another advantage is that we can monitor quality.
Author
-
Hello there, I’m Natan Lara Ferreira, Full Stack Developer Java and Angular since 2016. I’m in Open Finance Brazil project using framework Quarkus and Angular since the beginning 2021. I'm a problem solver, critical thinker and team player.