Bitbucket and SonarQube

This page describes how to use both Bitbucket in combination with SonarQube to have your source code analysed. You are just a couple of simple steps away:

• Create a local copy of your repository on your PC
• Install the SonarQube scanner
• Run SonarQube and review the results

We guide you through the steps by referencing a simple "training" project in SonarQube named omarsWP9T2 (SonarQube key: DemoKey) which is a simple Java project (non-Maven, non-Gradle, etc).

For the sake of easy guidance throughout this manual, we use a handful of pseudo-names that help keeping your local setup aligned with SonarQube installation requirements

Clone your Bitbucket repository

First you need to clone the Bitbucket repository to your local machine.
Clone your project repository

Prepare the SonarQube scanner

The following steps are nesessary to prepare the SonarQube scanner.

Install the SonarQube scanner

To install the scanner on your machine please follow instructions here.

When installed, the SonarQube scanner usually resides in a directory on your local machine. The installation directory of the scanner is usually different from the installation location of the development project. We will be referring to the installation directory of the scanner as SQ_SCANNER_INSTALL_DIR.

Create a token in SonarQube (optional step)

This step can be omitted when you have already created and SAVED your SonarQube token. If you have not done it before or if you have forgotten your SonarQube token, please follow the SonarQube description here for more info on generating tokens.

Remember your SonarQube token (now referred to as SONARQUBE_TOKEN). You will need it in the next step.

Edit the sonar-scanner.properties file

There is a variety of options, all of which serve to adjust your SonarQube scanner to your environment. These adjustments must be done in the file sonar-scanner.properties which can be found within the  <SQ_SCANNER_INSTALL_DIR>/conf directory.

We recommend to work with the following parameters:

1. sonar.host.url=https://sonarqube.software.geant.org
2. sonar.login=<SONARQUBE_TOKEN>

sonar-scanner.properties - example

Add the SonarQube scanner to you PATH variable

Add the executable directory of the SonarQube scanner (<SQ_SCANNER_INSTALL_DIR>/bin) to your PATH environment variable. Typical installation directories are:

• Linux (referred to as $PATH): /usr/local/bin, $HOME/bin
• Windows (referred to as %PATH%):  C:\sonar-scanner\bin
  

You can verify your installation by opening a new command prompt/terminal window and executing the command sonar-scanner -h

Your output should look similar to the following:
Test the PATH variable

Configuration file sonar-project.properties

Then, in order to run the scanner on a specific project, you need to do the following:

• Create a configuration file in the root directory of the project (SQ_PROJECT_LOCAL_INSTALL_DIR): sonar-project.properties

This file needs to have following properties:

1. sonar.projectKey=demo-omars-project      #  This is the ProjectKey found in the SonarQube list of projects
2. sonar.sources=.                       # Needs to point to the source files
3. sonar.java.binaries                   # This is the path to the .class java files to be analyzed

sonar-project.properties - example

Analyse your project

Run the SonarQube scanner

Now that you have the set up and files configured properly, all you need to do is to run the sonar-scanner from within the project's directory.

The command line should eventually show "EXECUTION SUCCESS", as depicted below:

View your project in SonarQube

That's all. Now you can go to the SonarQube web interface to view the results of the analysis:

SonarQube Analysis

A typical SonarQube analysis will include  

1. Home Page:  provides a summary of the entire analysis. Here, Bugs, Vulnerabilities, Code Smells, Coverage and Duplication.
2. SonarQube, based on its policies, performs a code analysis to find the issues in your code like conventions, security, performance, error-handling, etc.
   • Depending on the policies, it raises issues for the user to address.
   • Additionally, it provides the amount of effort required to address those issues.
   • SonarQube also provides interesting graphical visualization of various statistics related to the analysis results.
3. The Coverage report Helps you determine percentage of code covered by the unit test. It is the one which can help every product owner check in а few minutes how many unit tests are implemented for the project.  It provides a graphical representation of each file's test coverage and indicating number of uncovered lines.
4. Duplications: Displays duplicate blocks, lines and files.

SonarQube results in Bitbucket:

in Bitbucket you have to enable Sonar. This can be done from your Repository settings. On the left-hand side click on "Sonar" under ADD-ONS. This will open up the Sonar Settings page on the right, click on Sonar Enabled as shown below

Also, enable “Use new Sonar branching and pull request support” here. DO NOT FORGET TO SAVE

Then, if you go back to your repository main page you will be able to find Sonar analysis results at the top

You can click on the results and you will be redirected to the project issues section on SonarQube website

Summary

SonarQube is a powerful platform for continuous inspection of source code and various aspects pertaining to quality and best practices. Integrating SonarQube analysis into pull requests in Bitbucket server makes this very useful for developers. SonarQube's website has more information on the product. 

Additionally, there is also an integration between GitLab CI and SonarQube:

MANUAL: Continuous Integration Setup with GitLab CI and SonarQube