This page describes how to use both Bitbucket in combination with SonarQube to have your source code analysed. You are just a couple of simple steps away:

  • Create a local copy of your repository on your PC
  • Install the SonarQube scanner
  • Run SonarQube and review the results

We guide you through the steps by referencing a simple "training" project in SonarQube named omarsWP9T2 (SonarQube key: DemoKey) which is a simple Java project (non-Maven, non-Gradle, etc).

For the sake of easy guidance throughout this manual, we use a handful of pseudo-names that help keeping your local setup aligned with SonarQube installation requirements

Pseudo name

Description

BRANCH_NAMEName of branch under consideration. Can optionally be used in combination with PATH_OF_REPOSITORY
PATH_OF_REPOSITORYPathname to your Git project (Github, BitBucket, etc)
SQ_SCANNER_INSTALL_DIRThis name refers to the local installation directory of the scanner for SonarQube
SQ_PROJECT_LOCAL_INSTALL_DIRThis name refers to the local installation directory of your project on your cumputer
SONARQUBE_TOKENYour SonarQube token. This is usually created when a project is entered into SonarQube but can also be newly requested if needed.

Clone your Bitbucket repository

First you need to clone the Bitbucket repository to your local machine.
Clone your project repository

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

#
# change to the directory in which you want to clone your SonarQube project.
# cd <SQ_PROJECT_LOCAL_INSTALL_DIR>
#
# Use the following command if you want to clone the entire project:
#
# git clone <PATH_OF_REPOSITORY>/<project_name>.git
#
# Example:
git clone https://bitbucket.software.geant.org/scm/~omar.qouqas/wp9t2.git
 
#
# Use the following command if you want to clone a specific branch
#
# git clone -b <BRANCH_NAME> <PATH_OF_REPOSITORY>/<project_name>.git
#

Prepare the SonarQube scanner

The following steps are nesessary to prepare the SonarQube scanner.

Install the SonarQube scanner

To install the scanner on your machine please follow instructions here.

When installed, the SonarQube scanner usually resides in a directory on your local machine. The installation directory of the scanner is usually different from the installation location of the development project. We will be referring to the installation directory of the scanner as SQ_SCANNER_INSTALL_DIR.

Create a token in SonarQube (optional step)

This step can be omitted when you have already created and SAVED your SonarQube token. If you have not done it before or if you have forgotten your SonarQube token, please follow the SonarQube description here for more info on generating tokens.

Remember your SonarQube token (now referred to as SONARQUBE_TOKEN). You will need it in the next step.

Edit the sonar-scanner.properties file

There is a variety of options, all of which serve to adjust your SonarQube scanner to your environment. These adjustments must be done in the file sonar-scanner.properties which can be found within the  <SQ_SCANNER_INSTALL_DIR>/conf directory.

We recommend to work with the following parameters:

  1. sonar.host.url=https://sonarqube.software.geant.org
  2. sonar.login=<SONARQUBE_TOKEN>



sonar-scanner.properties - example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# Configure here general information about the environment, such as SonarQube server connection details for example
# No information about specific project should appear here
 
# ----- Default SonarQube server
sonar.host.url=https://sonarqube.software.geant.org
 
# ----- Default source code encoding
#sonar.sourceEncoding=UTF-8
 
#
# token created in SonarQube User > My Account > Security
#
# The following token is not a real SonarQube token, just an example.
# You need to replace it with your SONARQUBE_TOKEN
#
sonar.login=b5d3exxxxxxxxxxxxxxxxxxxxxxxxxxxxxx7c5d2

Add the SonarQube scanner to you PATH variable

Add the executable directory of the SonarQube scanner (<SQ_SCANNER_INSTALL_DIR>/bin) to your PATH environment variable. Typical installation directories are:

  • Linux (referred to as $PATH): /usr/local/bin, $HOME/bin
  • Windows (referred to as %PATH%):  C:\sonar-scanner\bin

You can verify your installation by opening a new command prompt/terminal window and executing the command sonar-scanner -h

Your output should look similar to the following:
Test the PATH variable

1
2
3
4
5
6
7
8

INFO:
INFO: usage: sonar-scanner [options]
INFO:
INFO: Options:
INFO:  -D,--define <arg>     Define property
INFO:  -h,--help             Display help information
INFO:  -v,--version          Display version information
INFO:  -X,--debug            Produce execution debug output

Configuration file sonar-project.properties

Then, in order to run the scanner on a specific project, you need to do the following:

  • Create a configuration file in the root directory of the project (SQ_PROJECT_LOCAL_INSTALL_DIR): sonar-project.properties

This file needs to have following properties:

  1. sonar.projectKey=demo-omars-project      #  This is the ProjectKey found in the SonarQube list of projects
  2. sonar.sources=.                       # Needs to point to the source files
  3. sonar.java.binaries                   # This is the path to the .class java files to be analyzed



sonar-project.properties - example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

#
# provide SonarQube project name and/or SonarQube project key (key must be unique in a given SonarQube instance)
#
# sonar.projectName=My project
#
# key name of our training project
#
sonar.projectKey=DemoKey
 
# Path is relative to the sonar-project.properties file. Defaults to .
sonar.sources=.
 
#
# sonar.java.binaries must point to the .class files
# the below is an example. Please use the correct path to your .class files
#
sonar.java.binaries=C:/Users/Omar/eclipse-workspace/NLCalculator/bin/Calculator/
 
# --- optional properties
# sonar.projectVersion=1.0
# Encoding of the source code. Default is default system encoding
# sonar.sourceEncoding=UTF-8

Analyse your project

Run the SonarQube scanner

Now that you have the set up and files configured properly, all you need to do is to run the sonar-scanner from within the project's directory.

The command line should eventually show "EXECUTION SUCCESS", as depicted below:

View your project in SonarQube

That's all. Now you can go to the SonarQube web interface to view the results of the analysis:

SonarQube Analysis

A typical SonarQube analysis will include  

  1. Home Page:  provides a summary of the entire analysis. Here, Bugs, Vulnerabilities, Code Smells, Coverage and Duplication.
  2. SonarQube, based on its policies, performs a code analysis to find the issues in your code like conventions, security, performance, error-handling, etc.
    • Depending on the policies, it raises issues for the user to address.
    • Additionally, it provides the amount of effort required to address those issues.
    • SonarQube also provides interesting graphical visualization of various statistics related to the analysis results.
  3. The Coverage report Helps you determine percentage of code covered by the unit test. It is the one which can help every product owner check in а few minutes how many unit tests are implemented for the project.  It provides a graphical representation of each file's test coverage and indicating number of uncovered lines.
  4. Duplications: Displays duplicate blocks, lines and files.


SonarQube results in Bitbucket:

in Bitbucket you have to enable Sonar. This can be done from your Repository settings. On the left-hand side click on "Sonar" under ADD-ONS. This will open up the Sonar Settings page on the right, click on Sonar Enabled as shown below


Also, enable “Use new Sonar branching and pull request support” here. DO NOT FORGET TO SAVE



Then, if you go back to your repository main page you will be able to find Sonar analysis results at the top


You can click on the results and you will be redirected to the project issues section on SonarQube website

Summary

SonarQube is a powerful platform for continuous inspection of source code and various aspects pertaining to quality and best practices. Integrating SonarQube analysis into pull requests in Bitbucket server makes this very useful for developers. SonarQube's website has more information on the product. 

Additionally, there is also an integration between GitLab CI and SonarQube:

MANUAL: Continuous Integration Setup with GitLab CI and SonarQube