Static analysis with SonarQube

Installing

The SonarQube platform is made of 3 components:

1. One Database to store:
   
   • the configuration of the SonarQube instance (security, plugins settings, etc.)
   • the quality snapshots of projects, views, etc.
2. One Web Server for users to browse quality snapshots and configure the SonarQube instance
3. One or more Analyzers to analyze projects

Installing Database

Create an empty schema and a sonarqube user. Grant this sonarqube user permissions to create, update and delete objects for this schema. The charset of the database has to be set to "UTF-8" and the language (database and user) to "English". Here is a sample script for MySQL.

MySQL

There are two well-known engines that can be used in MySQL: MyISAM and InnoDB. MyISAM is the oldest of the two engines and is being progressively replaced by InnoDB. InnoDB is clearly faster and scales better with SonarQube as the number of projects under quality control increases. If you were an early adopter of SonarQube, you probably have a series of table that are still using MyISAM. To improve performances, you should change the engine for all tables to InnoDB.

Once all SonarQube tables are using the InnoDB engine, the first thing to do is allocate a maximum amount of RAM to your MySQL instance with the innodb_buffer_pool_size parameter and give at least 15Mb to the query_cache_size parameter. Read this article about InnoDB Performance Optimization Basics for more information.

Installing Web Server

First, check the requirements.

Then download and unzip the distribution (do not unzip into a directory starting with a digit). Note that native packages are also available for Linux distributions.

<install_directory> (below) refers to the path to the directory where the SonarQube distribution has been unzipped.

Setting the access to the Database

Edit <install_directory>/conf/sonar.properties to configure the database settings. Templates are available for every supported database. Just uncomment and configure the template you need and comment out the lines dedicated to H2:

Example for PostgreSQL

sonar.jdbc.username=sonarqube sonar.jdbc.password=mypassword sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube

Adding the JDBC Driver

Drivers for the supported databases (except Oracle) are already provided. Do not replace the provided drivers; they are the only ones supported.

For Oracle, copy the JDBC driver into <install_directory>/extensions/jdbc-driver/oracle.

Starting the Web Server

The default port is "9000" and the context path is "/". These values can be changed in <install_directory>/conf/sonar.properties:

sonar.properties

sonar.web.host=192.0.0.1 sonar.web.port=80 sonar.web.context=/sonar

Execute the following script to start the server:

• On Linux/Mac OS: bin/<YOUR OS>/sonar.sh start
• On Windows: bin/windows-x86-XX/StartSonar.bat
• Read Installing SonarQube on AIX, HPUX or Solaris for other platforms

You can now browse SonarQube at http://localhost:9000 (default System administrator credentials are admin/admin).

Tuning the Web Server

By default, SonarQube is configured to run on any computer with a simple Java JRE.

For better performance, the first thing to do when installing a production instance is to use a Java JDK and activate the server mode by uncommenting/setting the following line in <install_directory>/conf/sonar.properties:

sonar.web.javaOpts=-server

To change the Java JVM used by SonarQube, simply edit <install_directory>/conf/wrapper.conf and update the following line:

wrapper.java.command=/path/to/my/jdk/bin/java

Advanced Installation Features

• Running SonarQube as a Service on Windows or Linux
• Running SonarQube behind a Proxy
• Running SonarQube over HTTPS

Installing Analyzers

Multiple analyzers are available:

• SonarQube Runner: recommended for all non-Maven projects
• Maven: recommended for all projects built with Maven
• SonarQube Ant Task: to integrate with projects built with Ant
• Gradle: to integrate with projects built with Gradle
• CI Engine: see Jenkins plugin or Hudson plugin or Bamboo plugin or AnthillPro plugin. Note that other CI engines can be used even if there is no SonarQube plugin available.

We do not recommend to use an antivirus on the machine where a SonarQube analysis runs, it could generate unpredictable behavior.

Analyze with Maven

Analyzing a Maven project consists of running a Maven goal: sonar:sonar in the directory where the pom.xml file sits.

# The sonar:sonar goal must be executed in a dedicated mvn command mvn clean install mvn sonar:sonar   # The following command may lead to unexpected issues mvn clean install sonar:sonar

Code Coverage

Icon

Since Java ecosystem 2.2, to get coverage information you have to generate the coverage report. If you are not generating it during your build you can use the following command:

mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent install -Dmaven.test.failure.ignore=true

mvn sonar:sonar

Please check the JaCoCo plugin page for more advanced information

Security

SonarQube 3.7+

Any user who's granted Execute Analysis permission can run an analysis.

If the Anyone group is not granted Execute Analysis permission or if the SonarQube instance is secured (the sonar.forceAuthentication property is set to true), the credentials of a user having been granted Execute Analysis permission have to be provided through the sonar.login and sonar.password properties. Example: sonar-runner -Dsonar.login=myLogin -Dsonar.password=myPassword

Note that for a preview/incremental analysis, the user also has to be granted the Browse permission on the project to be analyzed.

Project analyzed with Maven 3 only

<build>
  <pluginManagement>
    <plugins>
      <plugin>
        <groupId>org.codehaus.mojo</groupId>
        <artifactId>sonar-maven-plugin</artifactId>
        <version>2.1</version>
      </plugin>
    <plugins>
  </pluginManagement>
</build>