# Use SonarQube in Erda

    SonarQube (formerly Sonar) is an open-source system for code quality management that offers reports on duplicated code, coding standards, unit tests, code coverage, code complexity, comments, bugs, and security recommendations.

    This article will introduce how to use Sonar in the Erda project, providing a code quality management system for your application.

    # Preparations

    Before you start, you need to gain a basic understanding of Erda, which offers features centered on Projects and Apps, so create a Project first and assign resources to it (see Resource Quota for details).

    Tips

    Please ensure that the resources allocated meet the application build requirements to avoid build failures due to insufficient resources. See Resource Quota for details.

    If you want to create a new project, it is recommended to read the following documents as a priority:

    1. Project and Application Creation
    2. Project Resource Management

    If you have questions about how to manage project resources, it is recommended to read the following documents as a priority:

    1. Manage Quota
    2. Node Labels

    # Get an Available SonarQube Service

    First, you need an available SonarQube service for later operations. You can choose from other vendors or build your own one. SonarQube also officially offers the option of SaaS services, and you can quickly get an available instance on its Official Website (opens new window).

    This chapter offers several common build options for you. If you are short of time, here is another solution, the "temporary Sonar instance". With Erda's ability to release applications with a single click, it can start Sonar as an application via pipeline.yml and dice.yml.

    Warning

    This "temporary Sonar instance" is not available for real application scenarios and is for reference only.

    You can read the following selectively as needed:

    1. SonarCloud
    2. Existing self-built Sonar service
    3. Temporary Sonar instance (not available for real application scenarios)

    # SonarCloud

    SonarCloud is a code inspection platform provided by Sonar and is free for open-source projects. Please see the SonarCloud Website (opens new window) for details.

    # Existing Self-Built Sonar Service

    There are several ways to build your own Sonar services:

    1. Manually build and maintain Sonar services. SonarQube is now open source, and can be downloaded from GitHub (opens new window).
    2. Build Official Images (opens new window) of Sonar service via Docker container.
    3. Build Helm Chart (opens new window) of Sonar service in K8s cluster via Helm.

    # Temporary Sonar Instance

    # Add Application

    To quickly build a Sonar service, create a new application under the project for Sonar deployment. For example, create a new application named sonarqube (this example is for reference only and is not available in production environments).

    After the application is created, you need to write a pipeline.yml and dice.yml to quickly deploy the Sonar service, with pipeline.yml used to deliver SonarQube service artifacts (see pipeline.yml for details) and dice.yml to run the service declaratively (see dice.yml for details).

    Tips

    You can also go to GitHub (opens new window) to get code samples directly, without debugging from scratch.

    # Write pipeline.yml

    version: "1.1"
stages:
  - stage:
      - git-checkout:
          alias: git-checkout
          description: code repository clone
  - stage:
      - release:
          alias: release
          params:
            dice_yml: ${{ dirs.git-checkout }}/dice.yml
  - stage:
      - dice:
          alias: dice
          description: to deploy application services on Erda
          params:
            release_id: ${{ outputs.release.releaseID }}

    # Write dice.yml

    The pipeline above can successfully deliver an artifact, then the dice.yml is required to describe Sonar deployment.

    You can go to SonarQube (opens new window) to choose the target version and then replace the image, or use the available version 8.9.6 directly.

    version: '2.0'
services:
  sonar:
    image: registry.cn-hangzhou.aliyuncs.com/dice-third-party/sonar:8.9.6
    ports:
      - port: 9000
        expose: true
    resources:
      cpu: 0.5
      mem: 2048
    deployments:
      replicas: 1

    You can modify the CPU and memory resources as needed.

    # Run Pipeline

    After selecting the Sonar version and completing the pipeline, run the pipeline to build and deploy SonarQube.

    To specify the admin password and token for Sonar, go to App Settings > Environment Settings to set parameters.

    • SONAR_ADMIN_PASSWORD: Sonar admin password

    • SONAR_ADMIN_TOKEN: Sonar admin token

    Click to run the pipeline and wait for the deployment to complete.

    # Test Sonar

    After deployment, you can click Set Domain in deployment to enable Sonar service.

    Go to this Sonar address to see a Sonar service.

    You have now completed a self-built SonarQube service.

    # Create Project and Authorization Credential (Token) in SonarQube

    Once the service is ready, create a new project and token in SonarQube for later code checks.

    Create a new project as shown below, and then generate a token. See the Sonar Documentation (opens new window) for details.

    # Configure Sonar for Your Business Application

    Now you have completed all the prerequisites for the code quality check. Select the application that requires code checking and go to Settings > Sonar Settings to configure Sonar information.

    Then add a new pipeline, select the Sonar action (2.0) and run it.

    An example of a pipeline is as follows:

    version: "1.1"
stages:
  - stage:
      - git-checkout:
          alias: git-checkout
          version: "1.0"
          params:
            branch: master
            depth: 1
  - stage:
      - sonar:
          alias: sonar
          version: "2.0"
          params:
            # the application code for sonar analysis is specified here 
            code_dir: ${{ dirs.git-checkout }}
            # false by default
            must_gate_status_ok: false

    Tips

    • Typically, operations such as packaging and deployment are only allowed when the code check status is OK. So you can set the parameter must_gate_status_ok as true. For more information on the quality gate, see the Official Documentation (opens new window).
    • Please select version 2.0 of the Sonar action to use the custom SonarQube service. If no version is specified, the default is version 1.0 (see Code Quality for details).

    After successful execution, the Sonar action will return the Sonar project address.

    Go to the address to see the detailed code quality reports.

    # View Code Quality Reports

    Upon successful execution of the pipeline, the Sonar action will return the Sonar service address, where you can see quality reports of the application.

    The report contains the following:

    • Bug
    • Code smell
    • Coverage
    • Duplicated code
    • Others

    The Sonar quality report analyzes projects from reliability, security, maintainability, coverage, repeatability and other aspects, and sets five risk levels from A to E, which helps you keep a close eye on the code quality of your projects. For more information, see the Official Documentation (opens new window).

    Overview