How to use the SonarQube Maven Plugin for continuous inspection

Source – theserverside.com

In the previous SonarQube tutorial we demonstrated just how easy it is to configure and install the popular continuous inspection tool. In this tutorial, we demonstrate how easy it is to use the SonarQube Maven Plugin and perform quality analysis routines on existing Java projects.

SonarQube Maven example

When you first install SonarQube, a window appears to ask if the user’s preferred DevOps build tool is Gradle or Maven. If you choose the SonarQube Maven Plugin, a script is provided for use during builds. For a default SonarQube installation that runs on the local machine, the script for invoking the SonarQube Maven Plugin is as follows:

mvn sonar:sonar -Dsonar.host.url=http://localhost:9000

While page formatting may break the command onto multiple lines, there should be no carriage returns in the formatting of the script during the build.

Of course, in order to use the SonarQube Maven Plugin, you must have Maven installed and a Maven-based Java project available to build. I maintain a number of Maven projects on my GitHub site, so feel free to use this command to clone my rock-paper-scissors Git repo to use for this SonarQube Maven Plugin example:

C:\sonarqube maven\git clone https://github.com/cameronmcnz/rock-paper-scissors.git

C:\sonarqube maven\cd r*

C:\sonarqube maven\rock-paper-scissors\ dir pom.*

pom.xml

SonarQube Maven Plugin invocation

The above commands will clone the remote GitHub repository, change into the root directory of the rock-paper-scissors project, and compile all the files that start with pom. As you can see from the output of the dir pom.* command above, a single pom.xml file exists, which is the definition of every Maven project. You must trigger the SonarQube Maven Plugin from a directory that includes a pom.xml file.

C:\sonarqube maven\rock-paper-scissors\ mvn sonar:sonar -Dsonar.host.url=http://localhost:9000

SonarQube Maven Plugin build — Here’s an example of the SonarQube Maven Plugin generating code quality metrics from a Bash shell.

SonarQube metrics analysis

The process of running the SonarCube scanner and performing a code quality inspection of the application will run for a few minutes and conclude with a friendly “Build Success” message. At that point, you can log into SonarQube and view the results. In the case of the rock-paper-scissors application, the SonarQube Maven Plugin gave it a passing grade, although it did indicate the project had 14 code smells.

SonarQube analysis — SonarQube grades the Maven-based Java project.

When we further inspect the code smells identified by the Maven SonarQube Plugin, we can see that none were blockers, although three were critical and five were major.

SonarQube results — Don’t forget to analyze the SonarQube Maven Plugin results.

Simple SonarQube Maven integration

And that’s it. That’s all there is to incorporating the SonarQube Maven Plugin into your builds and generating a thorough reporting of how well or how poorly your applications do when compared against the seven-axis of software quality.