Wilson Mar bio photo

Wilson Mar

Hello!

Calendar YouTube Github

LinkedIn

Static Code Analysis

It has your back … by riding your back

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

SonarQube (abbreviated to Sonar here) improves quality by performing “static analysis” (scanning) of programming code to identify issues from meaures it calculates.

“Sonar’s power is as a way to reveal specific coding tricks the team might want to adopt.”

PROTIP: Introduce rules gradually and gently.

WARNING: Those who use Sonar purely as a surveillance tool to judge workers usually experience consequences.

CAUTION: Sonar stores code (in some compressed form) that it processes, which may be of security concern. Licenses are limited to the lines of code Sonar stores.

User Guide: https://docs.sonarqube.org/latest/user-guide/clean-as-you-code/

Static Analysis vs Lint

SonarQube’s licensed competitors include PRQA, which uses this illustration to differentiate itself versus lint programs and “bug catchers”.

The value proposition for using static analysis tools versus simpler lint programs is the time and frustration that developers save analyzing false positives, which leads to less usage and thus more lingering defects (“technical debt”).

A summary of what SonarQube finds estimates Technical Debt, which SonarQube tracks over time.

sonarqube-tech-debt-pyramid

Sonar scans different facets (such as security).

Different languages

Sonar analyzes various languages using plug-ins.

### Sonar for Scala #

http://www.scalastyle.org/ provides a list of ways to use Scalastyle at https://github.com/scalastyle

by 3 people:

  • Matthew Farwell (http://www.farwell.co.uk/ of Switzerland)

https://groups.google.com/forum/#!forum/scalastyle-users

https://github.com/emrehan/sonar-scalastyle

is based on a fork of https://github.com/NCR-CoDE/sonar-scalastyle

http://docs.codehaus.org/display/SONAR/Scala+Plugin

SQALE Summary Ratings

Sonar calculates a SQALE Rating based on the open-source SQALE (Software Quality Assessment based on Lifecycle Expectations) methodology defined by industry group http://www.sqale.org/. The caluculation is based on inclusion of rules set in the Common SonarQube repository:

  • Duplicated blocks
  • Failed unit tests
  • Insufficient branch coverage by unit tests
  • Insufficient comment density
  • Insufficient line coverage by unit tests
  • Skipped unit tests

Change SQUALE calculations in the plug-in http://www.sonarsource.com/products/plugins/governance/sqale/

Rules

SonarQube Analyzers scan code organized into projects.

sonarqube rules fromdoc

Coding standards include:

  • ISO 26262

  • MISRA (Motor Industry Software Reliability Association) was first published in April 2013 to support C99 and C90 versions of the C language, used mostly for embedded software development.

  • JSF

  • HIC++

Tags

Customizable Tags provide a way to categorize and filter rules.

Install environment to Run SonarQube

Since SonarQube runs as a server, it’s best to have it run within a VM.

Upgrade to v7 involves a change to PostgreSQL or MariaDB from MySQL.

Install environment to Run SonarQube

  1. Install SonarQube using Homebrew:

    brew install scalastyle

This page was written after downloading file SonarQube 5.1.2 created Jul. 27, 2015 from http://www.sonarqube.org/

Most developers prefer to have Sonar look at code before commit into a team repository. Such preview mode runs do not store results in the Sonar run database.

Plugins enable Sonar to be invoked several ways:

  • From a command line as one step in local evaluations. This approach enables one-time parameter configuration for each individual user.

    sonar-runner

  • From inside IDE (IntelliJ, Eclipse, etc.) as part of code unit development and testing.

  • From a build server (Maven, Ant, MSBuild, etc.) as part of continuous integration/build.

The server uses Oracle or OpenSDK, which requires much more work https://github.com/hgomez/obuildfactory/wiki/Building-and-Packaging-OpenJDK7-for-OSX So please stay with Oracle for now.

MySQL is supported.

Docker and Puppet scripts to build the server ???

https://github.com/sonarsource/sonar-examples

  1. Read the documentation
  2. Unzip and start
  3. Analyze projects
  4. Ready to improve quality

Jenkins Configuration

Connection to Jenkins: http://docs.sonarqube.org/display/PLUG/SonarQube+Scanner+for+Jenkins

Client Configuration

http://www.sonarlint.org/visualstudio/ SonarLint for Visual Studio is based on and benefits from the .NET Compiler Platform (“Roslyn”) and its code analysis API to provide a fully-integrated user experience in Visual Studio 2015. SonarLint is free, open source, and available in the Visual Studio Gallery.

Validation

This article on July 2016 reported that researchers from NYU found that static scans found only 2% of defects injected by their PDF about their LAVA (Large-Scale Automated Vulnerability Addition).

This is both the fuzz testing” and “symbolic-execution” approaches.

Custom Rules

Write rules in Java to work on major languages, or XPATH to work on data formats (XML, PL/SQL, Flex) using the SSLR Toolkit.

https://docs.sonarqube.org/latest/extend/adding-coding-rules/

Each rule defines Impact and Likelihood assessments.

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps

  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API

  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow

  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options

  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)

  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications

  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)

  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute

  31. Azure Monitoring

  32. Digital Ocean

  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation

  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS

  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs

  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps

  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible
  53. Kubernetes Operators

  54. OPA (Open Policy Agent) in Rego language

  55. MySQL Setup

  56. Threat Modeling

  57. SonarQube & SonarSource static code scan

  58. API Management Microsoft

  59. API Management Amazon

  60. Scenarios for load
  61. Chaos Engineering

Static Code Analysis was published on .