About this Book

Welcome to SonarQube in Action. This book is aimed at turning all the tedious and sometimes hard-to-understand stuff about source code quality and software metrics into an exciting experience. It aims to become the Holy Bible of software quality: a reference for every development team that wishes to improve their source code. You’ll see that metrics are meaningful and affect several aspects of your software’s health. In this journey, SonarQube will be our pilot. SonarQube is an open source platform for continuously measuring, managing, tracking, and improving source code’s quality.

How this book is organized

We begin each chapter of the book by describing a real problem/situation, and then we talk about the features of SonarQube and the relevant metrics that help you address and eventually solve that problem. We elaborate by providing some theoretical background, we discuss best practices (if any), and we end each chapter by talking about relevant—to the chapter’s topic—SonarQube plugins and how you can take advantage of them.

Now it’s time to list in detail the book’s content.

Part 1 gives you an overview of SonarQube, explains the seven axes of quality (like the seven deadly sins of software development), and sets the stage for the following parts. We introduce SonarQube’s key features and benefits and discuss the core metrics that SonarQube calculates.

• Chapter 1 sets the scene, introducing the core concepts of SonarQube. We begin by showing you what you should expect to see when you analyze a project using SonarQube for the first time. We briefly discuss the different metrics presented in SonarQube’s dashboard. At the end, we present the Technical Debt plugin.
• Chapter 2 introduces the topic of code issues. You’ll learn, among other things, where they come from and how they’re related to bugs or potential bugs.
• Chapter 3 is all about testing (unit and integration). It describes the importance of code-coverage metrics and how they’re calculated, and it gives you some tips for improving the test quality and coverage of your code.
• Chapter 4 focuses on duplicated code by illustrating the problems that may arise and the resulting impact on the quality and maintainability of your source code.
• Chapter 5 deals with a topic which is rarely considered by development teams as a quality factor: documentation. You’ll find out when and why it’s a good practice to document your code, and we’ll present a proposed documentation strategy that fits any development process.
• Chapters 6 and 7 talk about design and complexity. Although some may argue that they’re more or less the same thing, we’ve chosen to split them in order to provide more examples and illustrate their value in code quality.

Part 2 discusses how you can get the best out of SonarQube, where it fits in any development lifecycle, and how to make it part of your everyday work life. It also introduces the concept of Continuous Inspection, which is the ultimate target when talking about software quality.

• Chapter 8 discusses several approaches for improving the quality of your source code. You can pick one or all of them based on your experience. Then we’ll take you on a tour of all the possible data perspectives that SonarQube offers, and we finish by explaining the concepts of history and trending.
• Chapter 9 delves into the details of Continuous Inspection. We’ll talk about integrating SonarQube with Jenkins, and you’ll learn about the star feature of differential views that lets you track quality evolution over time.
• Chapter 10 deals with the popular practice of code reviews and explains how you can benefit from SonarQube. You’ll find out how issues are associated with reviews, how to track them, and what SonarQube features let you plan your work with action plans.
• Chapter 11 talks about integrating SonarQube with Eclipse. Enjoy most of the SonarQube advantages without leaving your IDE by following the step-by-step guide provided in this chapter.

Part 3 covers several administrative topics and gives you ideas about customizing and tuning SonarQube to make it suitable for any kind of project. In an enterprise environment with a SonarQube installation that hosts several projects, it’s a good idea to adjust many of SonarQube’s predifined settings to fit your needs. This part of the book also teaches you step by step how to extend SonarQube by writing a custom plugin.

• Chapter 12 explores security concepts, including users, roles, and groups. You’ll learn how to delegate authentication and authorization to external systems (LDAP, OpenID, and so on).
• Chapter 13 deals with managing coding rules and organizing them in quality profiles. You’ll also discover how you can create your own rules or edit existing ones and trigger alerts when metrics fall below a threshold.
• Chapters 14 and 15 discuss global and project administration, including filters, dashboards, and user notifications. The latter also provides a simple path for adopting Continuous Inspection by discussing useful SonarQube features that will assist you in this direction.
• Chapter 16 is dedicated to teaching you how to extend SonarQube. Although it’s not possible to cover everything in a few pages, we provide a complete example of implementing a real SonarQube plugin. We also give you some insights into adding support for new programming languages.

The book also has two appendixes that will help you with the basics, especially if you’re a SonarQube newbie:

• Appendix A focuses on installing SonarQube in Linux and Windows.
• Appendix B provides all the necessary details to run your first analysis with SonarQube.

One last thing—don’t expect to find correct code in this book. Chapter 16 is the only exception to that rule, because it deals with writing plugins. Most of the examples intentionally illustrate bad habits in coding, and their purpose is to point out what you should avoid. Nevertheless, in some cases we’ve included a refactored version to show you that by using SonarQube, you can begin to understand these nasty metrics and dramatically improve the quality of your code.

How to use/read this book

Each person has their own reading style, and we can’t force you to change it for this book. But we can still give you a couple of ideas on how to get the most out of this book.

Every chapter is organized in such a way that you can read it separately from the rest. We do suggest that you read chapter 1, especially if you’re not an experienced SonarQube user, because it’s an overview of SonarQube and introduces some basic ideas you may need when reading the rest of the book.

If you decide to read the book sequentially, you’ll find that each chapter is connected to the previous one, and the chapters flow smoothly, without gaps. But again, you can skip any chapter and come back later if you want to.

We did our best to ensure that this book will become a reference for you whenever you need to learn or remember anything about SonarQube or its computed metrics.

Who should read this book

Believe it or not, source code quality is a topic that targets almost everyone who participates in a software project. Although we provide several code examples, you don’t need to be a code expert to read this book. You also don’t need to be familiar with Java, because the code listings and snippets are so simple that anyone with basic programming skills can understand them. Besides, don’t forget that most of the examples in the book show you poor or bad code, to illustrate techniques and habits you should avoid. We do expect that you have some basic knowledge about software quality metrics.

The book is aimed at the following professionals:

• Software engineers (developers, designers, architects)— This is the book’s primary target audience. Software engineers live a day-by-day battle to achieve software quality, hunting and fixing bugs, adding new features, and designing and redesigning the logical architecture of the system. Not to mention that all these things have to be done within strict deadlines and constantly changing business requirements. This book will help you spot the parts of the software that need your attention so you can take immediate action.
• Quality assurance staff and testers— QA stuff nowadays plays a valuable role in software engineering. In most cases, these people are part of the development team, and it’s up to their judgment whether a product should be released. If you fall in this category, this book will teach you how to track the quality of the software under devlopment in an easy and comprehensive way, how to define criteria and thresholds for critical metrics, and, eventually, how SonarQube can assist you in decision making.
• Project/Product managers and team leaders— The era of project/product managers and team leaders sitting in an office, isolated from the rest of the development team, has passed. Managers exist to do more than read weekly reports and track down timelines and deliverable. They must have a clear view of the software and especially its quality in order to assist team members and get them on the right track. This book explains all the quality axes without unnecessary technical details. It provides you with a guide to how you can automatically track quality measures in source code over time and improve the development lifecycle by introducing new practices such as code reviews and Continuous Inspection.

Code conventions and downloads

All the source code in the book, whether in code listings or snippets, is in a fixed-width font like this, which sets it off from the surrounding text. In most listings, the code is annotated to point out the key concepts, and numbered bullets are sometimes used in the text to provide additional information about the code. We have tried to format the code so that it fits within the available page space in the book by adding line breaks and using indentation carefully.

Source code for all the examples and the plugin from chapter 16 are available at www.manning.com/SonarQubeinAction. If you want to get the most updated source code for the plugin—remember, it’s a real one, so the latest version is likely to be different from the code shipped with the book—it’s available at the following GitHub link: https://github.com/ppapapetrou76/sonar-redmine-plugin.

What this book doesn’t do

This book should not be considered a user or administration guide for SonarQube. If you just want to learn how to use SonarQube, the online documentation at http://docs.codehaus.org/x/EoDEBg should be sufficient.

This book also doesn’t explain the underlying tools with which SonarQube integrates, such as PMD, FindBugs, Checkstyle, and so on. You’re encouraged to visit the corresponding websites to learn more about their purpose.

In some chapters, we include tips and best practices for refactoring as well as some introductory material. But this book doesn’t teach you how to refactor your code.

Author Online

The purchase of SonarQube in Action includes free access to a private web forum run by Manning Publications, where you can make comments about the book, ask technical questions, and receive help from the authors and from other users. To access the forum and subscribe to it, point your web browser to www.manning.com/SonarQubeinAction. This page provides information on how to get on the forum once you are registered, what kind of help is available, and the rules of conduct on the forum.

Manning’s commitment to our readers is to provide a venue where a meaningful dialogue between individual readers and between readers and the authors can take place. It is not a commitment to any specific amount of participation on the part of the authors whose contribution to the forum remains voluntary (and unpaid). We suggest you try asking the authors some challenging questions lest their interest stray!

The Author Online forum and the archives of previous discussions will be accessible from the publisher’s website as long as the book is in print.

About the authors

G. ANN CAMPBELL has 15 years of experience in Perl, C, C++, Java, and web technologies on variously sized and organized teams, and she has spent far too much time achieving code quality the hard way without SonarQube.

PATROKLOS P. PAPAPETROU is a Java architect, an experienced software developer, and an Agile team leader. He’s an active SonarQube community member and contributor.