How to get full sonar analysis from local code

Are you a Java Developer like me? If so, I bet you are used to dealing with continuous integration and continuous delivery.

I wanted to write this small article because I was going through an annoying and unproductive situation.

Assumptions

This small article assumes:

Context

I was creating some new dummy Java project that in the close future would become a real project. I was doing that because before starting the real code I wanted to have my Jenkins pipelines read to go, and that was when my annoying situation started.

It is quite common that a Jenkins pipeline builds, runs tests, and passes the code through a code quality gate, in my case SONAR. I was having problems testing my pipeline because every time I ran the pipeline it broke during the code quality gate phase.

I thought I had a simple way to solve this, I found a plugin to connect my IDE to the sonar server, and then I ran the sonar analysis all over my code: after that, I fixed all things that I got from sonar reports.

To my surprise, after committing and pushing my code to the pipeline it failed again, at the same quality gate phase. So I opened the sonar and I got something like this image below.

As a developer, I DO NOT want to commit and push my code, run the pipeline and then grab the sonar analysis report. That takes too much time. I want to get a sonar full analysis before committing my changes.

How to run sonar with local code

The first thing needed is an access token. To get one token access the <SONAR_ADDRESS>/sonar/account/security/ and create one like shown on the image below.

I have created the TmpToken only for demonstration proposes, of course I already revoked it.

Once you have copied the token, I advise you to create an environment variable to store the token. From this point forward I will assume that the token you have resides in a variable called SONAR_TOKEN.

The second thing needed, is to prepare the arguments to pass on sonar.

To accomplish that create a file sonar-project.properties in the same directory of the pom.xml file with the content below.

sonar.projectKey=KEY_PROJECT_ON_SONAR
sonar.language=java
sonar.sourceEncoding=UTF-8
sonar.sources=src/main
sonar.java.binaries=target
sonar.java.sources=src/main/java
sonar.java.tests=src/test/java
# Exclusions
sonar.exclusions=**/target/**/*,**/webapp/**/*,**/entity/*
sonar.java.coveragePlugin=jacoco
sonar.dynamicAnalysis=reuseReports
sonar.surefire.reportsPath=target/surefire-reports
sonar.jacoco.reportPath=target/jacoco.exec

Transform the sonar-project.properties file in maven arguments using the instruction below.

grep -o '^[^#]*' sonar-project.properties | sed -e 's/^/-D/'

The result must be something like this:

-Dsonar.projectKey=KEY_PROJECT_ON_SONAR
-Dsonar.language=java
-Dsonar.sourceEncoding=UTF-8
-Dsonar.sources=src/main
-Dsonar.java.binaries=target
-Dsonar.java.sources=src/main/java
-Dsonar.java.tests=src/test/java
-Dsonar.exclusions=**/target/**/*,**/webapp/**/*,**/entity/*
-Dsonar.java.coveragePlugin=jacoco
-Dsonar.dynamicAnalysis=reuseReports
-Dsonar.surefire.reportsPath=target/surefire-reports
-Dsonar.jacoco.reportPath=target/jacoco.exec

All arguments can be check here: https://docs.sonarqube.org/latest/analysis/analysis-parameters/

Keep in mind that you may need consider all arguments for a specific version.

For instance, https://docs.sonarqube.org/7.9/analysis/analysis-parameters/

Now, let’s combine it all together.

The command below will use maven clean, compile, test, and run sonar analysis of the code.

mvn clean test org.sonarsource.scanner.maven:sonar-maven-plugin:sonar $(grep -o '^[^#]*' sonar-project.properties | sed -e 's/^/-D/' | tr '\n' ' ')
-Dsonar.branch.name=locacode -Dsonar.host.url=<SONNAR_ADDRESS>/sonar -Dsonar.login=${SONAR_TOKEN}

Once it is finished, will be possible to notice a URL to get a sonar report.

Access the URL and check the code sonar report from the local code. The result will be something like the image below.

From now on, you do not need to run a Jenkins pipeline to know if the code you have will pass or not on the quality gate process.