Ensure quality of your Node application with SonarQube
SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages. [Wikipedia]
SonarQube platform consists of two main components, Sonar Scanner which scans your code and generate the report and SonarQube Server which provide a graphical interface to view and review your code and results of Sonar Scanner. These two components work in collaboration to succeed in their tasks.
In this article I am going to explain,
- How to setup a SonarQube server on your localhost
- How to setup Sonar Scanner
- How to configure a Node application for Sonar integration
Please note that first two topics will be specific to a *nix development environment where as the third topic will be common to any operating system.
1. Setup SonarQube Server
First you should download and setup SonarQube server application before you start working with Sonar Scanner.
You can download the latest version or a previous version of free and open source Community Edition from https://www.sonarqube.org/downloads/ . Note that the latest version, 7.9 (at September 2019) requires Oracle JRE/JDK 11 or OpenJDK 11. You can download SonarQube server 7.8 if you are using Oracle JDK 8 or OpenJDK 8 and don’t need to cope with the hassle of maintaining two environments. The steps I’ll mention will be common to both SonarQube versions 7.8 and 7.9.
Once server application is downloaded, unzip the files to anywhere you like. In my development environment I have placed SonarQube server in /opt/sonarqube/ .
Sonar server must be run as a non root user in a Unix environment as recommended by SonarSource themselves. You can create a new user for running sonar by following the below mentioned steps.
# create a user group for sonar users
sudo groupadd sonar# create user named sonar without sign in options
sudo useradd -c "Sonar System User" -d /opt/sonarqube -g sonar -s /bin/bash sonar -M# change ownership of SonarQube application file to sonar user
sudo chown -R sonar:sonar /opt/sonarqube# activate sonar user by setting a password to it
sudo passwd sonar
To tell SonarQube Server to run as the newly created “sonar” user you should edit sonar.sh file located in “sonarqube/bin/*[os]*/” (“/opt/sonarqube/bin/linux-x86–64/” in my case) directory. Find the line that says “RUN_AS_USER” and uncomment it by removing the pound sign in front of it. Enter the new username “sonar” as its value as follows.
RUN_AS_USER=sonarNOTE : SonarQube uses an in-memory database to hold your scan results by default. But you can setup a database and configure SonarQube to store scan results for persistent scan results recording. As this process is out of the scope of this article I will not describe the process in here but you can definitely find a good tutorial on internet on how to do it.
Now you can start the SonarQube server by executing sonar.sh file as follows.
cd /opt/sonarqube/bin/*[os]*/
./sonar.sh console #Enter the sonar user password once prompted.Optional : The server starts in port localhost:9000 by default. But you can change the port number if port 9000 is in use. Open the file “sonarqube/conf/sonar.properties” file and search for the line “sonar.web.port”.
sudo gedit /opt/sonarqube/conf/sonar.propertiesTo change web port of SonarQube server uncomment that line change the port number to any 4 digits number of your choosing as follows.
sonar.web.port=90022. Setup Sonar Scanner
Sonar scanner is needed to scan your code at the source code directory. You can download the latest version of Sonar Scanner from https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/ . Choose your operating system at the top of the page to start downloading.
You can unzip this application too to any location you like. I have placed the scanner in “/opt/sonar-scanner” in my development environment.
Before starting scanning code you should have started the SonarQube server in your localhost. You should configure Sonar Scanner if you have changed the default port of SonarQube server. Open the file “sonar-scanner/conf/sonar-scanner.properties”.
sudo gedit /opt/sonar-scanner/conf/sonar-scanner.propertiesLocate the line “sonar.host.url=http://localhost:9000” and uncomment and change the port number at the end of the URL address to the port number you set for the SonarQube server.
You must add “sonar-scanner/bin” to the PATH variable to be able to be run from your source code directory. You can simply achieve this by adding the following line to “.bashrc” file located in your $HOME directory.
export PATH=$PATH:/opt/sonar-scanner/binAfter entering the above line, source “.bashrc” file to changes to take effect by running following command in terminal.
source ~/.bashrcNote : If you cannot find the file “.bashrc” try “ls -la” in terminal in $HOME directory. Files which are with names starting with . (dot) is hidden by default in Linux based operating systems.
3. Configure a Node application for Sonar integration
You should add a configure file named “sonar-project.properties” to the root of your source code directory to project be able to be scanned by Sonar Scanner. Therefore create a file named as sonar-project.properties file in the root of your source code directory and add the following lines to it.
sonar.projectKey=application_name
sonar.projectName=Application Name
sonar.projectVersion=1.0sonar.language=jssonar.sources=src
sonar.sourceEncoding=UTF-8sonar.exclusions=src/**/*.spec.js
sonar.test.inclusions=src/**/*.spec.js
sonar.coverage.exclusions=src/**/*.spec.js,src/**/*.mock.js,node_modules/*,coverage/lcov-report/*sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.testExecutionReportPaths=test-report.xml
- projectKey : Unique string which enables SonarQube to identify the application
- projectName : Name of the application
- projectVersion : Version of the application
- language : The language the application is written in. If your Node project is written in Typescript use ‘ts’ instead of js
- sources : Directories that the source code is included in. You can remove this line if your code is in the root directory
- sourceEncoding : Encoding type of source code text
- exclusions : SonarQube will not scan the files with paths that matches the pattern provided here for code quality. I have included my test files here
- test.inclusions : Pattern of paths of test files
- coverage.exclusions : SonarQube will not consider files with paths that matches patterns provided here when calculating test coverage. You should include your test, mock and configuration files and test coverage reports here
- javascript.lcov.reportPaths : Path to coverage report in lcov format generated by your test coverage generator (ex : Istanbul, Jest Coverage). You should set sonar.typescript.lcov.reportPaths instead if you are using Typescript for your project.
- testExecutionReportPaths : Path to the test report file. Note that SonarQube expect test report to be in a specific format. You should use a third party library (ex : mocha-sonar-reporter for Mocha) if your test framework does not naively support SonarQube. (These option is not essential to generate test coverage reports in SonarQube)
Scan Your Code
- Check whether SonarQube Server is running and start the server if not.
cd /opt/sonarqube/bin/*[os]* #navigate to the directory
./sonar.sh status #check status of SonarQube server
./sinar.sh console #start SonarQube server if not started 2. Now you can navigate your root of source code directory where you created “sonar-project.properties” file and enter sonar-scanner in the terminal. Sonar Scanner will scan your code and generate a link to the report.
Conclusion
Before start using SonarQube you should setup SonarQube server and Sonar Scanner and create a configuration file with data required for Sonar Scanner to successfully scan your code.
You should consider adding .scannerwork folder to .gitignore as these files are not required to be added to Git and will be generated automatically.
