Phpstorm Sonarqube

Posted : admin On 1/3/2022

The SonarScanner is the scanner to use when there is no specific scanner for your build system.

  1. Connect Sonarlint To Sonarqube
  2. Sonarlint Intellij Plugin

SonarQube empowers all developers to write cleaner and safer code. Join an Open Community of more than 200k dev teams. SonarLint is YOUR Code Quality & Code Security tool. SonarQube is YOUR TEAM’s Code Quality & Code Security tool. You and your team align to collectively own code quality and accelerate delivery. Imagine everyone on your team being on the same code quality page!

Configuring your project

Create a configuration file in your project's root directory called sonar-project.properties

Running SonarScanner from the zip file

To run SonarScanner from the zip file, follow these steps:

  1. Expand the downloaded file into the directory of your choice. We'll refer to it as $install_directory in the next steps.
  2. Update the global settings to point to your SonarQube server by editing $install_directory/conf/sonar-scanner.properties:

  3. Add the $install_directory/bin directory to your path.
  4. Verify your installation by opening a new shell and executing the command sonar-scanner -h (sonar-scanner.bat -h on Windows). You should get output like this:

    If you need more debug information, you can add one of the following to your command line: -X, --verbose, or -Dsonar.verbose=true.

  5. Run the following command from the project base directory to launch analysis and pass your authentication token:
    sonar-scanner -Dsonar.login=myAuthenticationToken

Under the SonarLint window in the Logs tab. Use SonarLint with your team! SonarLint can be used together with SonarQube or SonarCloud, allowing your team to always be on the same page when it comes to Code Quality and Code Security. Part 9: Integrate SonarQube with Visual Studio using SonarLint; Part 10: Leverage SonarQube to Fix Technical Debt in Multiple Projects. SonarLint integrates the checks of SonarQube right into Visual Studio (and Eclipse, Atom and VS Code). If you want to know if there are any quality problems with your code, you no longer need to.

Running SonarScanner from the Docker image

To scan using the SonarScanner Docker image, use the following command:

Scanning C, C++, or ObjectiveC Projects

Scanning projects that contain C, C++, or ObjectiveC code requires some additional analysis steps. You can find full details on the C/C++/Objective-C language page.

Sample Projects

To help you get started, simple project samples are available for most languages on GitHub. They can be browsed or downloaded. You'll find them filed under sonarqube-scanner/src.

Alternatives to sonar-project.properties

If a sonar-project.properties file cannot be created in the root directory of the project, there are several alternatives:

  • The properties can be specified directly through the command line. Ex:

  • The property project.settings can be used to specify the path to the project configuration file (this option is incompatible with the sonar.projectBaseDir property). Ex:

  • The root folder of the project to analyze can be set through the sonar.projectBaseDir property since SonarScanner 2.4. This folder must contain a sonar-project.properties file if sonar.projectKey is not specified on the command line.Additional analysis parameters can be defined in this project configuration file or through command-line parameters.

Alternate Analysis Directory

If the files to be analyzed are not in the directory where the analysis starts from, use the sonar.projectBaseDir property to move analysis to a different directory. E.G. analysis begins from jenkins/jobs/myjob/workspace but the files to be analyzed are in ftpdrop/cobol/project1.This is configured in sonar-project.properties as follows:

You can configure more parameters. See Analysis Parameters for details.

Advanced Docker Configuration

The following sections offer advanced configuration options when running the SonarScanner with Docker. Click the headings to expand the instructions.

Running as a non-root user

You can run the Docker image as a non-root user using the --user option. For example, to run as the current user:

When running the container as a non-root user you have to make sure the user has read and write access to the directories you are mounting (like your source code or scanner cache directory), otherwise you may encounter permission-related problems.

Caching scanner files

Plugin

To prevent SonarScanner from re-downloading language analyzers each time you run a scan, you can mount a directory where the scanner stores the downloads so that the downloads are reused between scanner runs. On some CI systems, you also need to add this directory to your CI cache configuration.

The following command will store and use cache between runs:

You can also change the location of where the scanner puts the downloads with the SONAR_USER_HOME environment variable.

Using self-signed certificates

If you need to configure a self-signed certificate for the scanner to communicate with your SonarQube instance, we recommend using the OpenJDK provided with the sonarsource/sonar-scanner-cli image. To do this, follow these steps:

  1. Extract the cacerts file from OpenJDK from the sonarsource/sonar-scanner-cli image:
  1. Add your certificate to the exported cacerts file. Assuming your certificate file is named mycert.cer and it's in your current local directory:
  1. Mount the cacerts file that you've prepared in your target container:

Alternatively, you can create your own container that includes the modified cacerts file. Create a Dockerfile with the following contents:

Then, assuming both the cacerts and Dockerfile are in the current directory, create the new image with a command such as:

Troubleshooting

Java heap space error or java.lang.OutOfMemoryError
Increase the memory via the SONAR_SCANNER_OPTS environment variable when running the scanner from a zip file:

In Windows environments, avoid the double-quotes, since they get misinterpreted and combine the two parameters into a single one.

Unsupported major.minor version
Upgrade the version of Java being used for analysis or use one of the native package (that embed its own Java runtime).

Property missing: `sonar.cs.analyzer.projectOutPaths'. No protobuf files will be loaded for this project.
Scanner CLI is not able to analyze .NET projects. Please, use the SonarScanner for .NET. If you are running the SonarScanner for .NET, ensure that you are not hitting a known limitation.

Welcome to the SonarQube documentation!

SonarQube® is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.

If you want to try out SonarQube, check out the Try out SonarQube page for instructions on installing a local instance and analyzing a project.

If you're ready to set up a production instance, check out the Install the Server documentation.

Otherwise, you can also find an overview and common scenarios below or navigate through and search the full documentation in the left pane.

Connect Sonarlint To Sonarqube

Overview

In a typical development process:

  1. Developers develop and merge code in an IDE (preferably using SonarLint to receive immediate feedback in the editor) and check-in their code to their ALM.
  2. An organization’s continuous integration (CI) tool checks out, builds, and runs unit tests, and an integrated SonarQube scanner analyzes the results.
  3. The scanner posts the results to the SonarQube server which provides feedback to developers through the SonarQube interface, email, in-IDE notifications (through SonarLint), and decoration on pull or merge requests (when using Developer Edition and above).

Installing, monitoring, and upgrading

See the installing and upgrading pages for setting up your production instance.

When your instance is up and running, see the Monitoring documentation for information on keeping your instance running smoothly.

If you're using SonarQube Data Center Edition, see the Configure & Operate a Cluster documentation for more information on running your instance as a cluster.

Setting up analysis

Analyzing your code starts with installing and configuring a SonarQube scanner. The scanner can either run on your build or as part of your continuous integration (CI) pipeline performing a scan whenever your build process is triggered. For more information, see Analyzing Source Code.

Analyzing branches

Starting in Developer Edition, you can analyze your branches in SonarQube, and ensure that your code quality is consistent all the way down to the branch level in your projects. For more information, see Branch Analysis.

Analyzing pull requests

Starting in Developer Edition, you can integrate SonarQube to be part of your pull or merge request process. Issuing a pull request can trigger a branch analysis and add pull request decoration to see your branch analysis directly in your ALM's interface in addition to the SonarQube interface. For more information, see the Pull Request Analysis Overview.

Writing Clean and Safe Code

SonarQube gives you the tools you need to write clean and safe code:

  • SonarLint – SonarLint is a companion product that works in your editor giving immediate feedback so you can catch and fix issues before they get to the repository.
  • Quality Gate – The Quality Gate lets you know if your project is ready for production.
  • Clean as You Code – Clean as You Code is an approach to code quality that eliminates a lot of the challenges that come with traditional approaches. As a developer, you focus on maintaining high standards and taking responsibility specifically in the New Code you're working on.
  • Issues – SonarQube raises issues whenever a piece of your code breaks a coding rule, whether it's an error that will break your code (bug), a point in your code open to attack (vulnerability), or a maintainability issue (code smell).
  • Security Hotspots – SonarQube highlights security-sensitive pieces of code that need to be reviewed. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code.

Administering a Project

If you have the Create Projects permission (a global administrator can set permissions at Administration > Security > Global Permissions), you can create and administer projects. See Project Settings for general information on setting up projects.

A project is automatically added on the first analysis. However, you can provision projects (set up permissions, Quality Profiles, etc.) before running the first analysis. See Project Existence for more information on provisioning a project and handling provisioned projects.

Sonarlint

You also want to make sure SonarQube's results are relevant. To do this you need to Narrowing the Focus or configure what to analyze for each project.

You can also set up Webhooks to notify external services when a project analysis is complete.

Administering an Instance

If you're a global administrator, you can set up authentication, administrator access, and authorization. See Security for more information.

You can also set up email notifications that developers can subscribe to that are sent at the end of each analysis.

When you run new analyses on your projects, some data is cleaned out of the database to save space and improve performance. See Housekeeping for information on what data is cleaned and how to change these settings.

Starting in Enterprise Edition, you can set up Portfolios to get a high-level overview on the releasability of a group of projects.

Staying Connected

Sonarlint Intellij Plugin

Use the following links to get help and keep up with SonarQube: