--

Wednesday, 11 July 2018

Part 1 - Monitoring code quality of your Android application with SonarQube

Why SonarQube?



SonarQube (i.e. SonarQube.org) is a powerful tool to monitor and analyze code quality, security and reliability. It is a continuous inspection engine and offers reports on duplicated code, exception handling, coding standards, code smells, unit tests, code coverage, code complexity, potential bugs, comments, design, and architecture etc.

SonarQube supports 20+ programming languages. Plugins for some languages (Java, JavaScript, Kotlin, Objective-C, PL/SQL, PHP, and Python) are bundled with the platform. To analyze a different language, we can install the plugin. As Android projects are based on Java sources, it is possible to analyze such projects with SonarQube.

The usage of SonarQube is limited to a local instance (i.e. Running Sonar in local machine). Doing the same against a remote server (i.e. Sonarcloud, centralized sonar) shouldn’t be a problem once you have understood the basics.

Installing SonarQube to a local machine



1. Go to https://www.sonarqube.org/downloads/ and download the latest version of Sonarqube by clicking on Download Latest.
2. Unzip the downloaded archive.
3. Go to sonarqube-/bin folder. You will see different folders based on platforms.





4. Open the corresponding folder according to your platform. There you should see a batch file named StartSonar for windows (or sonar.sh for other platforms)
5. Double click on StartSonar batch file. This will open a sonarqube console. Wait for the execution to complete and then you will see the message ‘Process[ce] is up’ and ‘SonarQube is up’.
6.Open localhost:9000 on a browser. You will see Sonarqube web page.




Adding Sonarqube configuration in gradle

1. Add sonarqube plugin to for project level Gradle file (i.e. build.gradle of root folder) of your project.

            dependencies {
               classpath "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.6.2"
            }

2. Add sonarqube plugin to for app module Gradle file of your project.

          apply plugin: 'org.sonarqube'
          apply from: '../sonarqube.gradle'


3. By adding sonar configuration to separate Gradle file ‘sonarqube.gradle’

// recommend specifying the flavor once and dynamically adapt paths to it
def flavor = "Project flavor"
sonarqube {
properties {

def libraries = project.android.sdkDirectory.getPath() + "/platforms/android-22/android.jar" 

property "sonar.host.url", "http://localhost:9000"
property "sonar.projectKey", "package of Android app"
property "sonar.projectName", "Name of project"
property "sonar.projectVersion", “Project version”

property "sonar.sourceEncoding", "UTF-8"
// first defines where the java files are, the second where the xml files are
property "sonar.sources", "src/main/java,src/main/res"
property "sonar.binaries", "build/intermediates/classes/${flavor}/debug"
property "sonar.libraries", libraries
}
}

sonar.projectKey - Contain any unique key name (i.e. Package name of Android App) for your project. It should be different for every project you are analyzing with Sonarqube. 

sonar.sources - Contain the path of java files and xml layout files.

sonar.exclusions - Used to exclude directory/files from being analyzed by Sonarqube.



4. After building or syncing project, open Command Prompt and navigate to app module directory of your project where your Gradle file is located. Execute gradle sonarqube and wait until the build is completed.
5. Refresh or open localhost:9000 web page on the browser. You will see your project added.

Understanding Sonarqube analysis



At the top right of the web page, you will see a login option. You can log in as an administrator by using both username and password as admin.
On Home page you will see the count for the number of projects being added to sonarqube and number of bugs, Vulnerabilities and Code Smells.

Bugs

Bugs track code that is demonstrably wrong or highly likely to yield unexpected behavior.

Vulnerabilities

Vulnerabilities are raised on code that is potentially vulnerable to exploitation by hackers.

Code Smells

Code Smells will confuse maintainers or give them pause. They are measured primarily in terms of the time they will take to fix.

When you will navigate to Projects tab you will see projects being rated from A to E on the basis of Reliability, Security and Maintainability where A being best and E being the worst. Also, you will see the percentage of duplications in the code and the size of the code in terms of a number of lines of code.



Quality Gate

Quality Gate is the set of conditions the project must meet before it can be released into production. You can see whether your project is passed or failed in terms of Quality Gate.


Rules

Sonar has a set of rules to validate source code standard of the Android application. When you will navigate to Rules tab, you will see the list of rules on the basis of which inspection is done. In the left panel, you can apply various filters to list rules on the basis of language, type, tags etc.


Issues

When you will navigate to Issues tab, you will see a list of various issues your projects has. When you will select Effort in Display Mode you will see estimated time required to handle these issues.




Clicking on the arrow at the right end of an issue will take you to the line in your code where the issue is found.





Administration



Administration tab section allows you to edit global settings for this SonarQube instance.
In the Administration section, click on the System tab and go to the Update Center. Here you can install various plugins.

In the Installed section you will see plugins which are already installed. In Updates Only section you will see updates for various installed plugins.

In the Available Section, you will see various plugins which are available to install.You can install plugins for various languages which you want to support.Also there are plugins for various external analyzers like FindBugs which provide Findbugs rules for analysis of Java projects.





Please feel free to post any queries, doubts or suggestions in the comments section.


References

https://medium.com/@sandeeptengale/integrate-sonarqube-for-android-application-development-8e40ec28e343
https://androidlearnersite.wordpress.com/2017/02/21/integrating-and-understanding-sonarqube-in-android/
https://room-15.github.io/blog/2016/01/21/Static-code-quality-measurements-with-SonarQube-Jacoco-and-UnitTests/
https://sogilis.com/blog/sonarqube-android-projects/