As a Quality Engineer, I am typically involved in building automated tests. These tests are used to ensure that future code changes don't break existing functionality, and can include integration, API, and end-to-end testing. All of these tests are run after code has been written and will execute the code to verify it conforms to the functional requirements being validated.

These tests are all considered "dynamic tests", as they are executed against the running application.

Static code analysis is another tool you can use to ensure the quality of your code. It's different from dynamic testing, in that in that the analysis is done against your source code, without the application executing.

What can static code analysis do?

Static code analysis evaluates your source code statically, without running it. Some areas it can address include:

  • identifying overly complicated code
  • finding security issues
  • enforcing best practices
  • identifying maintainability issues
  • providing test coverage metrics
  • enforcing common team-based language ruleset
  • integrating into your build pipeline
  • and more!

Static code analysis, courtesy of your IDE

Most modern IDEs have a mechanism to allow for static code analysis. If you don't use it now, take some time to find out how your IDE supports static analysis. If you haven't run it in the past, you are very likely to find some interesting results.

SonarLint

In addition to static code analysis that may be baked into your IDE, there are 3rd partying linting plugins such as SonarLint that allow you to analyze your code right in the IDE.

Let's take a look at a quick example. For my environment I am using IntelliJ IDEA, and I have the SonarLint plugin installed.

I have the following Java method:

    public int add(int my_FIRST_var, int my_SECOND_var) {
        System.out.print ("adding");
        return my_FIRST_var + my_SECOND_var;
    }

Now if I look at this method in my IDE, I see some things highlighted:
Alt Text

The first thing I see highlighted is the variable my_FIRST_var. If I hover my_FIRST_var I get a SonarLint popup that shows me the issue.

Alt Text

I can click the link for more detail and get a full explanation for this issue:
Alt Text

Of course, this is a contrived example, but I hope you get a taste of the advantages of using SonarLint within your IDE. Issues are going to be visible immediately, which is the best time to fix them. You can save your reviewers valuable time by finding and fixing issues immediately.

Static code analysis with SonarQube

In addition to IDE-based SonarLint, SonarQube allows you to perform robust static analysis and gating as part of the CI/CD pipeline.

SonarQube has 4 basic architectural components:

  • the web server which serves the user interface
  • the database, used to store historical metrics for all code scans
  • the compute engine that performs code scans and saves metrics to the database
  • a search engine based on ElasticSearch to support user searches

SonarQube will typically be installed in a central environment, but you can also run it right on your machine. To get started you need an instance of SonarQube running on your machine. The quickest way to make that happen is through the magic of Docker:

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

You can then browse to localhost:9000 and you should see something like this:
Alt Text

We haven't run a scan yet, so we don't see any useful data. I can build, test, and lint my solution from the command line with a simple command such as mvn sonar:sonar -Dsonar.login=myAuthenticationToken

Once that process completes I can see the results in SonarQube:
image

Well I see some green, but also see some red. It appears the code did not pass the quality gate. The UI will provide plenty of additional detail for troubleshooting, but our main issue is clear right on the Overview page; the test coverage is only 75%, and it needs to be 80% to pass the gate validation.

Once we get this analysis setup in our build pipeline, problems like this will need to be addressed before code can get merged and deployed.

Bonus feature

One feature of SonarQube that I really like it the robust detail that is provided related to recommendations. Want to find out why it might not be a great idea to directly use standard outputs for logging? SonarQube will tell you. You can fix your code and learn something at the same time. What could be better?

Wrap up

So there you go, a little introduction to static code analysis, and some details about getting SonarLint and SonarQube setup on your workstation. If you're not using static code analysis, go ahead and install the SonarLint plugin and see what you can find. You'll likely find some issues to fix. You can also setup SonarQube locally and learn about best practices in a number of areas.

For my next post I'm going to focus more on SonarQube. I'll start with some .Net code in need of assistance. From there we'll look at how to include SonarQube in a CI/CD pipeline, and leverage a cloud-based SonarQube instance to execute our scans and store scan metrics.

See you soon!


Smart EDJE Image