Static Code Analysis with SonarQube

4 min readNov 25, 2020

Definition

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security vulnerabilities.

SonarQube can record metrics history and provides evolution graphs. SonarQube provides fully automated analysis and integration with Maven, Ant, Gradle, MSBuild and continuous integration tools (Atlassian Bamboo, Jenkins, Hudson, etc.).

Working

Sonar uses various static & dynamic code analysis tools such as Checkstyle, PMD, FindBugs, FxCop, Gendarme and many more to extract software metrics, which then can be used to improve software quality. Provides lots of plugins.

Sonar Structure

Note: — Above image taken from Google

Features

1) Supports languages: Java, C/C++, Objective-C, C# , PHP, Flex, Groovy, JavaScript, Python, PL/SQL, COBOL, etc. (note that some of them are commercial)

2) Can also be used in Android development.

3) Offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, potential bugs, comments and design and architecture.

4) Records metrics history and provides evolution graphs (“time machine”) and differential views.

5) Provides fully automated analyses: integrates with Maven, Ant, Gradle and continuous integration tools (Atlassian Bamboo, Jenkins, Hudson, etc.).

6) Integrates with the Eclipse development environment

7) Integrates with external tools: JIRA, Mantis, LDAP, Fortify, etc.

8) Is expandable with the use of plugins.

9) Implements the SQALE methodology to compute technical debt.