Wilson Mar bio photo

Wilson Mar

Hello. Hire me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

It has your back … by riding your back


This article contains my notes on Static Analysis of code.

SonarQube (abbreviated to Sonar here) improves code quality by scanning source code to identify issues from meaures it calculates. The functionality it performs is SonarQube performs “static analysis” of programming code.

Static Analysis vs Lint

SonarQube’s licensed competitors include PRQA, which uses this illustration to differentiate itself versus lint programs and “bug catchers”.

The value proposition for using static analysis tools versus simpler lint programs is the time and frustration that developers save analyzing false positives, which leads to less usage and thus more lingering defects (“technical debt”).

A summary of what SonarQube finds estimates Technical Debt, which SonarQube tracks over time.


Sonar scans different facets (such as security).

Different languages

Sonar analyzes various languages using plug-ins.

### Sonar for Scala #

http://www.scalastyle.org/ provides a list of ways to use Scalastyle at https://github.com/scalastyle

by 3 people:

  • Matthew Farwell (http://www.farwell.co.uk/ of Switzerland)



is based on a fork of https://github.com/NCR-CoDE/sonar-scalastyle


SQALE Summary Ratings

Sonar calculates a SQALE Rating based on the open-source SQALE (Software Quality Assessment based on Lifecycle Expectations) methodology defined by industry group http://www.sqale.org/. The caluculation is based on inclusion of rules set in the Common SonarQube repository:

  • Duplicated blocks
  • Failed unit tests
  • Insufficient branch coverage by unit tests
  • Insufficient comment density
  • Insufficient line coverage by unit tests
  • Skipped unit tests

Change SQUALE calculations in the plug-in http://www.sonarsource.com/products/plugins/governance/sqale/


SonarQube Analyzers scan code organized into projects.

sonarqube rules fromdoc

Coding standards include:

  • ISO 26262

  • MISRA (Motor Industry Software Reliability Association) was first published in April 2013 to support C99 and C90 versions of the C language, used mostly for embedded software development.

  • JSF

  • HIC++


Customizable Tags provide a way to categorize and filter rules.

Install Enviornment to Run SonarQube

Since SonarQube runs as a server, it’s best to have it run within a VM.

Install Enviornment to Run SonarQube

  1. Install SonarQube using Homebrew:

    brew install scalastyle

This page was written after downloading file SonarQube 5.1.2 created Jul. 27, 2015 from http://www.sonarqube.org/

Most developers prefer to have Sonar look at code before commit into a team repository. Such preview mode runs do not store results in the Sonar run database.

Plugins enable Sonar to be invoked several ways:

  • From a command line as one step in local evaluations. This approach enables one-time parameter configuration for each individual user.

  • From inside IDE (IntelliJ, Eclipse, etc.) as part of code unit development and testing.

  • From a build server (Maven, Ant, MSBuild, etc.) as part of continuous integration/build.

The server uses Oracle or OpenSDK, which requires much more work https://github.com/hgomez/obuildfactory/wiki/Building-and-Packaging-OpenJDK7-for-OSX So please stay with Oracle for now.

MySQL is supported.

Docker and Puppet scripts to build the server ???


  1. Read the documentation
  2. Unzip and start
  3. Analyze projects
  4. Ready to improve quality

Jenkins Configuration

Connection to Jenkins: http://docs.sonarqube.org/display/PLUG/SonarQube+Scanner+for+Jenkins

Client Configuration

http://www.sonarlint.org/visualstudio/ SonarLint for Visual Studio is based on and benefits from the .NET Compiler Platform (“Roslyn”) and its code analysis API to provide a fully-integrated user experience in Visual Studio 2015. SonarLint is free, open source, and available in the Visual Studio Gallery.


This article on July 2016 reported that researchers from NYU found that static scans found only 2% of defects injected by their PDF about their LAVA (Large-Scale Automated Vulnerability Addition).

This is both the fuzz testing” and “symbolic-execution” approaches.

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps

  4. Git and GitHub vs File Archival
  5. Git Commands and Statuses
  6. Git Commit, Tag, Push
  7. Git Utilities
  8. Data Security GitHub
  9. GitHub API
  10. TFS vs. GitHub

  11. Choices for DevOps Technologies
  12. Java DevOps Workflow
  13. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  14. AWS server deployment options

  15. Cloud regions
  16. AWS Virtual Private Cloud
  17. Azure Cloud Onramp
  18. Azure Cloud
  19. Azure Cloud Powershell
  20. Bash Windows using Microsoft’s WSL (Windows Subystem for Linux)

  21. Digital Ocean
  22. Cloud Foundry

  23. Packer automation to build Vagrant images
  24. Terraform multi-cloud provisioning automation

  25. Powershell Ecosystem
  26. Powershell on MacOS
  27. Powershell Desired System Configuration

  28. Jenkins Server Setup
  29. Jenkins Plug-ins
  30. Jenkins Freestyle jobs
  31. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  32. Dockerize apps
  33. Docker Setup
  34. Docker Build

  35. Maven on MacOSX

  36. Ansible

  37. MySQL Setup

  38. SonarQube static code scan

  39. API Management Microsoft
  40. API Management Amazon

  41. Scenarios for load