Features and Best Practice

Automated Code Review Using Sonar

Authored by Amit Aggarwal and Priya Mandhan

In the current IT culture, where everyone lists 'quality' as their topmost priority, code quality is one of the most critical factors when we talk about delivery excellence. Code quality comprises many factors such as good code coverage with quality unit tests, less code smells, less code vulnerability, less code duplications, appropriate cyclometric complexity and many others. Automated code review tools are one-stop solutions which provide details on these factors. Automated code review tools help a developer to understand the quality of code during the development phase. These tools help the developer understand and identify the 'bad code' when introducing an application, in addition to giving an excellent explanation about the identified issue, suggesting the correct way of implementation.

There are many automated code review tools such as ReSharper, Code Climate, Code beat, Sonar etc. Sonar is the most common and preferred choice of tool for all developers, with multiple benefits. Sonar is an open-source tool with inbuilt support for code analysis of numerous programming languages with a pre-defined standard set of rules that run on the developer's code to produce quality results. It can be easily integrated with various CI tools and can become a 'quality gateway' for the release of code.

The Sonar tool offers detection of errors during coding and provides recommendations on code standards and well-organized metrics based on pre-defined rules and algorithms which help gauge the code quality. Another significant benefit for the end-user is knowledge from the recommendations provided, further helping developers improve their coding standards.

Here are a few features and best practices for getting the most out of Sonar tools:

Fixes issues before they exist – Configure SonarLint as an extension/plugin in IDE (IntelliJ, Eclipse and Visual Studio). It will start notifying developers as they type code like a spell checker and get recommendations to improve. There are pre-configured sets of rules which detect common mistakes, tricky bugs and known vulnerabilities.

Customizes rules to quality profiles – Configure SonarQube on a centralized server to facilitate all developers. There are default sets of rules for different languages that are available. It is recommended to customize the tool by specifying your own set of rules, per coding standards and conventions of the project through a custom profile.

Additional Plugins – Enables support for additional code analyzers and languages (ex: YAML, TypeScript, Python, OWASP) in SonarQube by installing new Plugins from Admin dashboard. Sonar releases an enhanced set of rules periodically for existing languages with the flexibility to create a new plugin. All installations of SonarQube use plugins (C# is a plugin).

Integrates Sonar with Jenkins – Sonar is easily integrable, thus integrating SonarQube with Jenkins to execute unit test cases with every build saves time and effort (SonarScanner plugin for MSBuild). SonarQube settings are easily changed within Jenkins, without affecting the code. This helps in assessing results with every code check-in made by the developer in a build pipeline.

Monitors Graphs & Dashboards – SonarQube provides the ability to keep historical data of builds, record metrics and show progress graphs for all projects/components in one place. You can drill down each component/service individually and SonarQube will help you decide where to act first.

Enforces Quality Gates - Quality Gate is a set of conditions a project must meet before it can qualify for a release. It is a set of threshold actions like Code Coverage, Number of critical issues, Unit Test Pass Rate, etc. set on a project. A default feature of SonarQube it is customizable with the quality gate status displayed at the top of Project Page. If a developer tries to check-in any known coding issue or inject a security threat, then build will inevitably fail, pointing out the exact problem.

Sonar can assure better code quality, while at the same time enhancing and improving developers' skills.

For questions and comments, or to speak to an expert, contact us here.