Application quality is important for any development enviroment. It becomes more important if you practice agile development methods. Frequent requirement changes lead to frequent code changes. The rapid rate of code changes needs to be monitored for the quality of the code itself.
Sonarqube is continuous inspection application that can help us automate code inspection. It's a free and open source application developed and maintained by Sonarsource, previously SonarQube name is only Sonar.
SonarQube can analyze source code files and related binaries, calculate a set of metrics and show the result on web based dashboard.
The metrics that SonarQube use called Developers' Seven Deadly Sins, also known as Seven Axes of Quality. We'll learn more about these later.
Many code analysis tools focus on specific programming language and code quality metrics. ReShaper and FXcop for example only able to analyze C#. Findbugs and PMD for Java. The metrics that the tools use also different. SonarQube overcome this issue by creating a standard metrics that can be applied to any source code in any language in single interface.
Who Can Benefit From Sonarqube?
Developers. Using SonarQube will improve code quality and coding skill of a developer. Since coding standard and another best practice will be scanned by SonarQube, developers will try to make sure they don't violate coding standard.
Technical Management. Engineering leads or manager can track down code changes and see the skills of their team. They can asses who is already good, who still needs to be trained.
Non-technical Management. Non engineering management can also benefit using Sonarqube since it can see technical debt that a product or a team currently have.
Seven Axes of Quality
These are seven axes of quality that a good application source code should have.
We will need the following items for this tutorial:
Fresh install Ubuntu Server 14.04
Server with 4 GB of RAM. SonarQube need 2 GB of RAM to run and 1 GB for OS. In this tutorial we'll configure SonarQube to use 1 GB of RAM and ElasticSearch also 1 GB of RAM for heap size.
In this tutorial we'll learn how-to install Sonarqube on Ubuntu 14.04. We will use MySQL 5.6 for the database and Nginx as reverse proxy.
Update Base System
We assume that the system being used to install Sonarqube is new and dedicated for Sonarqube.
Before we install anything on our system, let's make the base system up to date by running command below.
$ sudo apt-get update
$ sudo apt-get -y upgrade
Install JDK 8
Sonarqube is a Java application. We will install JDK 8 using webupd8team PPA repository.
Add webupd8team PPA repository.
$ sudo add-apt-repository ppa:webupd8team/java
Oracle Java (JDK) Installer (automatically downloads and installs Oracle JDK7 / JDK8 / JDK9). There are no actual Java files in this PPA.
More info (and Ubuntu installation instructions):
- for Oracle Java 7: http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html
- for Oracle Java 8: http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html
Important!!! For now, you should continue to use Java 8 because Oracle Java 9 is available as an early access release (it should be released in 2016)! You should only use Oracle Java 9 if you explicitly need it, because it may contain bugs and it might not include the latest security patches! Also, some Java options were removed in JDK9, so you may encounter issues with various Java apps. More information and installation instructions (Ubuntu / Linux Mint / Debian): http://www.webupd8.org/2015/02/install-oracle-java-9-in-ubuntu-linux.html
More info: https://launchpad.net/~webupd8team/+archive/ubuntu/java
Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmpaz5gxp9d/secring.gpg' created
gpg: keyring `/tmp/tmpaz5gxp9d/pubring.gpg' created
gpg: requesting key EEA14886 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmpaz5gxp9d/trustdb.gpg: trustdb created
gpg: key EEA14886: public key "Launchpad VLC" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
We will secure MySQL installation by running mysql_secure_installation.
Enter a root password that we set on installation -
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Since we already have root password set, answer this part with n
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
You already have a root password set, so you can safely answer 'n'.
Change the root password? [Y/n] n
Remove the anonymous user to improve security. This will make sure people or application have correct username and password to login to MySQL. Answer with Y
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
Remove anonymous users? [Y/n] Y
We also want remove root login from remote machine. Answer with Y
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
Previously the test database created automatically by MySQL installation, but MySQL 5.6 does not create test database. We can still choose Y, it will throw error but that's fine.
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
ERROR 1008 (HY000) at line 1: Can't drop database 'test'; database doesn't exist
... Failed! Not critical, keep moving...
- Removing privileges on test database...
Last step is to reload MySQL privilege table.
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
Create a Database for Sonarqube
Now we have a secure MySQL installation, time to create database and user for sonarqube itself.
Login to MySQL using root credentials
$ mysql -u root -p
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 58
Server version: 5.6.30-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
Create new database named sonarqube using command below
In this tutorial we'll learn how to configure Nginx to serve as http only proxy and https only proxy.
The configuration directory structure created by nginx package from nginx.org repository is a little bit different with configuration of Nginx package from Ubuntu repository. We will reconfigure Nginx configuration directory to make it easier to enable and disable site configuration.
Create two new directories named sites-available and sites-enabled with commands below:
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
Now Sonarqube is ready, we can start Sonarqube using commmand below:
$ sudo service sonar start
To check Sonarqube service status we can use command below:
$ sudo service sonar status
SonarQube is running (3730).
The output above show that SonarQube is running.
The fist startup process might take some time to finish mainly to do database migration (creating database schema and populating data) and generate SecureRandom instance for Session ID.
You can monitor the startup process by looking at the contents of /opt/sonar/logs/sonar.log. The output similar to output below. I truncate the output to show most important part until the process is started.
--> Wrapper Started as Daemon
Launching a JVM...
Wrapper (Version 3.2.3) http://wrapper.tanukisoftware.org
Copyright 1999-2006 Tanuki Software, Inc. All Rights Reserved.
2016.07.05 06:18:03 INFO app[o.s.a.AppFileSystem] Cleaning or creating temp directory /opt/sonar/temp
2016.07.05 06:18:21 INFO web[o.s.s.p.Platform] DB needs migration, entering safe mode
2016.07.05 06:18:21 INFO web[jruby.rack] jruby 1.7.9 (ruby-1.8.7p370) 2013-12-06 87b108a on Java HotSpot(TM) 64-Bit Server VM 1.8.0_91-b14 [linux-amd64]
2016.07.05 06:18:21 INFO web[jruby.rack] using a shared (threadsafe!) runtime
2016.07.05 06:18:33 INFO web[DbMigration] == InitialSchema: migrating ==================================================
2016.07.05 06:21:57 INFO web[o.a.c.h.Http11NioProtocol] Starting ProtocolHandler ["http-nio-0.0.0.0-9000"]
2016.07.05 06:21:57 INFO web[o.s.s.a.TomcatAccessLog] Web server is started
2016.07.05 06:21:57 INFO web[o.s.s.a.EmbeddedTomcat] HTTP connector enabled on port 9000
WARNING: while creating new bindings for class org.jruby.rack.RackInput,
found an existing binding; you may want to run a clean build.
2016.07.05 06:21:57 INFO app[o.s.p.m.Monitor] Process[web] is up
2016.07.05 06:22:02 INFO ce[o.e.plugins] [sonar-1467713883353] loaded , sites 
2016.07.05 06:22:03 INFO ce[o.s.c.c.CePluginRepository] Load plugins
2016.07.05 06:22:04 INFO ce[o.s.s.c.q.PurgeCeActivities] Delete the Compute Engine tasks created before Thu Jan 07 06:22:04 EST 2016
2016.07.05 06:22:05 INFO ce[o.s.ce.app.CeServer] Compute Engine is up
2016.07.05 06:22:05 INFO app[o.s.p.m.Monitor] Process[ce] is up
Change Sonarqube Admin Password
Now sonarqube is ready, point our browser to SonarQube address. Now let's change the default admin password of SonarQube. Click on the top right Log in link.
Note about update and restart - When SonarQube installation already live in production make sure we only restart on maintenance window, each organisation have its own policy.
Some organisations demand maintenance window's after office hours, some can have maintenance windows during office hours. Make sure you announce the maintenance window to the users before doing maintenance on the SonarQube server.
In this tutorial we learned how to install the Sonarqube Continuous Inspection software. Install MySQL to store data, Nginx as a reverse proxy and basic usage of Sonarqube.
Hopefully Sonarqube can help improving the quality of code that your team produces.
Truth be told, it’s difficult for a web application that doesn’t have some kind of identification, even if you don’t see it as a security measure in and of itself. The Internet is a kind of lawless land, and even on free services like Google’s, authentication ensures that abuses will...
Although data persistence is almost always a fundamental element of applications, Node.js has no native integration with databases. Everything is delegated to third-party libraries to be included manually, in addition to the standard APIs. Although MongoDB and other non-relational databases are the most common choice with Node because if you...