Automated code analysis is a powerful and useful technology and Sonarqube is the leading open-source platform in this space. According to Sonarqube's official documentation:
"Sonarqube® software (previously called Sonar) is an open source quality management platform, dedicated to continuously analyze and measure technical quality, from project portfolio to method."
Bitbucket is amazing for enabling collaboration among developers in an intuitive web interface. Integrating Sonarqube with Bitbucket provides automated feedback on code quality issues in the relevant context of pull requests where the peer code reviews are happening.
In the pull request view:
- Summary of the Sonarqube analysis is visible to the participants:
In this example, we can see that the codebase currently has a total of 4 critical issues out of which 3 were introduced by the feature branch under review. Similarly, 1 additional major and minor issues were introduced by the current branch:
- The "Diff" tab in the pull request details can show details on the Sonarqube analysis in relation to the code change:
- If the reviewer wants to find a detailed analysis report, clicking on the Sonarqube marker icons will display details on the issue. In the example above it shows details on the "Critical" issue found for line #66. There are options to convert this into a comment or viewing details about the rule that triggered this result and the suggested fix.
- Sonarqube analysis can also be used as a merge check by setting thresholds in the Bitbucket repository settings.
The example repository below has the condition which will not allow anyone to merge a pull request that has more than 1 critical issue:
How does this work?
Sonarqube analysis is triggered by the Continuous Integration Setup in Bamboo via build plan branches. The results published to Sonarqube analysis is available to Bitbucket Server and accessible to users in the Pull Requests view.
source: https://mibexsoftware.atlassian.net/wiki/display/SONARBAMBOO (Before version 4.x, Bitbucket Server was known as Stash)
In Bamboo you need to add the Sonarqube Maven task within your build job in order for Sonarqube to trigger an analysis. Link to Sonarqube analysis is visible in the Bamboo results summary page:
When you click on the Sonarqube link it takes you to the Sonarqube home page of the particular branch build
A typical Sonarqube analysis will include
- Home Page : provides a summary of the entire analysis. Here, Technical Debt, Coverage, Duplication, Structure are the areas highlighted:
- Technical Debt: Sonarqube, based on its policies, does a code analysis to find the issues in your code like conventions, security, performance, error-handling, etc
- Depending on the policies, it raises issues for the user to address.
- Additionally, it provides the amount of effort required to address those issues
- Sonarqube also provides interesting graphical visualization of various statistics related to the analysis results:
- Coverage: Helps you determine percentage of code covered by the unit test.
- A graphical representation of each file's test coverage and indicating number of uncovered lines:
- Duplications: Displays duplicate blocks, lines and files:
- Structure: This section shows us the architecture of the project
- What percentage of code is in JAVA, XML, or in any other languages?
- How complex is the code?
- Number of functions defined, classes used, etc
- Based on the above analysis, a reviewer can decide, with confidence, whether code should be merged or needs to be cleaned up.