Categories
Articles

Improve your code quality through static code analysis

In our game, great code is a key factor to success. Quality coding speeds up your development and saves time and money.

There are multiple ways of improving your source code, from more education and training, applying a coding standard, code reviewing, and static code analysis to unit testing.

Hopefully all the above are already in place, but if you’re missing the static code analysis part or are interested in SonarQube as static code analysis tool, this article is for you.

SonarQube is a great tool for analysing and visualizing your code quality. It supports 27 programming languages (C, C++, C#, Python, Java, JavaScript et al) and offers both great overview and detailed information if needed – perfect for both managers and developers.

SonarQube Overview dashboard with helpful KPI’s (Key Performance Indicators).

If your project has been in a hectic release phase with focus on delivering features rather than on design discussions, unit testing and refactoring, the KPI’s on the SonarQube overview dashboard will probably show that. Some examples of KPI’s are Security Hotspots, Technical depts (measured in time), number of bugs, number of code smells and duplicated code (measured in % and lines of code).

Pricing and hosting

Is SonarQube expensive? On the contrary, it’s free in most cases. You can choose between using SonarCloud or hosting your own SonarQube server and databasee on-premises or in cloud (e.g., in a virtual machine in Azure/GCP/AWS). In the latter case, costs for the virtual machine and database will be added to your cloud bill. SonarCloud is free for public repositories but costs for private/non-public ones.

SonarQube consists of a scanner to scans the source code, a server receiving the results, and a database. The scanner is preferrably installed and run by your Continous Integration (CI) and Pull/Merge Request pipelines. If you choose to host your own server, remember that you are responsible for keeping the operating system and SonarQube server and database updated and secure.

It is also possible to integrate SonarQube into your IDE such as Visual Code or Visual Studio to get real-time feedback.

Example deployment diagram of self-hosted (on-premis or in cloud) of SonarQube.

If you choose SonarCloud you only need to install the scanner in the CI/Pull/Merge Request pipeline. The server part is managed by SonarSource (the company behind SonarQube/SonarCloud).

Below is an example of when SonarCloud is used for scanning the code in a Pull Request (on GitHub). The comment below is inserted as a comment into the Pull Request. The result can also be viewed with more details on SonarCloud.io.

A SonarCloud comment into a GitHub Pull Request (SonarCloud is free for public repositories).

Where to start the refactoring?

When it’s time to start refactoring the code, but you don’t know where to start, SonarQube will guide you. Under the Measures tab, there is a very nice graph of different files with reliability and security ratings. I usually start with the worst file.

Visualization of the Worse of Reliability Rating and Security Rating.

Pimp your repo documentation with a badge

Brag about your top-notch code quality with an impressive and beautiful badge.

My SonarQube experience

At Wolfberry, we’ve used and installed SonarQube for many years, each time resulting in higher code quality. Both managers and developers have been very satisfied with the tool, and we have only received positive feedback.

If you don’t have a static code analysis tool today, we really recommend you start right away with SonarQube. If, however, you know of an even better tool, please drop us a message on LinkedIn.