Code quality and analysis with SonarQube — Part I

6 min readMar 13, 2022

You created your app and wanted to go forwards by checking your code quality, vulnerabilities, reliability, and maintainability ? well, Sonarqube is a great option to fill this need, let’s discover more about it together as follows.

Sonarqube is a stunning open-source tool that provides code quality analysis, reports, vulnerabilities, bugs scan and how to stick with the best clean code practices.

It provides a static code scan (which requires accessing to your source code) with so various services such as :

  • Vulnerabilities : Sonarqube runs OWASP top 10 checklist on your code.
  • Bugs
  • Code smells : this one specifically, runs a series of tests to be sure you’re following the best practices and the optimum way to get a clean code.
  • Technical debt : in brief words, technical debt in Sonar is the necessary time to fix what you’ve skipped (such as implementing tests, code readability ..) to deliver a feature fast.
  • Duplications : It scans for code blocks duplications, this is a good way to avoid redundant code to increase your app performance and make your code more readable.
  • Code coverage : This service measures how far your code is covered my tests like Unit tests for example, it gives a percentage that describe the coverage.
  • Cyclomatic complexity : This indicates the possible number of paths to go from a defined condition to an expected result.
  • Cognitive complexity : This measure indicates how difficult your code will be to read and understand, Sonarqube allow 15 as the default value to not go above, the rule is that, the less cognitive complexity you’ve in your code, the more readable it’s.

So let’s see all of these in action, let’s start with Sonarqube setup, for this, you’ve first to download Sonarqube zip file from here, then and navigate to <sonar_folder>/bin/<your_OS_sonar_installation>

Here i’m using Windows, so go to windows-x86–64 and double click “StartSonar.bat” to start Sonar service as shown in the image as follows :

Sonarqube can be integrated in two ways, locally or directly in your project pipelines like with gitlab ci-cd or github action, this might be the subject of the second part of this topic.

Add Sonarqube to your project locally :

In this part, we’ll add Sonarqube to our existing Spring-boot project, so first of all for a reason of dependencies compatibility, be sure to use jdk-11 and set it up in your project, as below you will find how to do this with intellij IDE :

As shown in the image as above, navigate to File->Project Structure ->SDKs, then check if you’ve jdk 11 in the list otherwise you can add it by clicking on the plus icon in the top part of the pop-up, now switch your gradle JVM version to 11 by navigating to Settings/Gradle, as in the image below :

Now add Sonar plugin and dependency as follows :

Then let’s add sonar properties to our project’s “” file :

Now we need to generate a token for our project, so click on “create project” and fill your project’s description inputs :

Then choose to create it locally :

And choose a label for your token, then click “generate” :

Once it’s generated, you don’t need to proceed the project creation, just copy the generated token and paste it in your “” as the value of the property “sonar.login”.

Well, closely done, to start the scan, run the command :

./gradlew sonarqube

Once it’s built successfully, go to Sonarqube project page to find the scan titled of your project name (your local project’s name) as below :

Since our project is still empty, so no bugs neither vulnerabilities were detected, so to put things under the loop, let’s check the result of another project’s scan :

Here we go, as you can see, the scan failed, it’s because of that some of measures that we defined in our custom quality gate weren’t respected, so let’s dig in deeper by clicking on the project to see things clearer :

Here i selected the “code smells” feature, as you can see, one of the critical points to set, is to remove the unused code, in the same context, to remove the commented code.

Let’s now, go to check the “Security Hotspots” :

According to Sonar, using Math.random() is not safe, and it tells us what’s the risk, are we at the risk ? and How can it be fixed !?

Now let’s see a global statistics about the code by clicking on the “Code” tab :

Sonar shows that, our code has 3.3% duplicated blocks, and without Unit tests/Integration tests.

Well Sonar is really transcendent and it gives a lot more measures and statistics about our project for a clean and safe code.

Add Sonarqube to your CI-CD pipelines :

Well, this will be the subject of the second part of this topic with Github actions and Gitlab ci-cd.

That’s all for this part, in the coming part we’ll see how to add Sonarqube to your CI-CD (continuous integration, continuous deployment) pipeline.

Quick troubleshooting 🔧:

If the command above doesn’t work for example cuz of a bad lombok configuration like in the pic as below :

then as a shortcut, just add a custom task in build.gradle file as follows :

and don’t forget to add your Sonar token as value of the property sonar.login, then run the task, that’s it 😊😉.