SonarQube (formerly known as Sonar) is an open source tool developed by SonarSource for continuous inspection of code quality on over twenty programming languages. SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage and complexity, comments, bugs, and security vulnerabilities. It’s made up of a server component and a bug dashboard that allows you to view and analyze problems identified in your source code.
It’s available in an Eclipse plug-in called SonarLint. By using SonarLint, your IDE can warn you as soon as you write bad code. More than that, it can teach you what’s wrong with the code, show you best practices, and give you examples of fixes. SonarLint also can connect to a server to retrieve the appropriate quality profiles and settings for that project.
In today’s article, we’ll learn how to install SonarLint in Eclipse and how it helps you maintain code quality within your Java Projects.
Installing the SonarLint Plug-in
Installation of the SonarLint plug-in follows the same process as with any Eclipse plug-in:
- Open the Eclipse Marketplace dialog by selecting Help -> Eclipse Marketplace… from the main menu.
In the Eclipse Marketplace dialog:
- Search for “SonarLint.” You should see SonarLint at the top of the list:
Figure 1: SonarLint in the Eclipse Marketplace - Click the Install button.
- On the next screen, accept the terms of the license agreement and click the Finish button to install the plug-in.
- You might get a dialog warning you that you are about to install unsigned content. Go ahead and click Install anyway. Probably nothing bad will happen.
After you restart Eclipse, you’ll be ready to go.
Using SonarLint
Out of the box, SonarLint is preconfigured to analyze Java, JavaScript, PHP, and Python files. To use SonarLint, simply write code as you usually do. Bugs or vulnerabilities will be highlighted directly in the editor by a squiggly blue underline when you save changes. Hovering the mousepointer over underlined code will display a tooltip with the problem, along with links to either view or deactivate the rule:
Figure 2: The SonarLint editor
Clicking the Open description link opens the rule information page in the SonarLint Rule Description view:
Figure 3: The SonarLint Rule Description view
It displays information such as the severity and description of the problem, as well as examples of both Non-compliant code and its Compliant Solution. That makes it much easier to address the issue right then and there.
In addition to presenting issues upon saving files in the editor, SonarLint also can be applied to individual files or to the entire project by right-clicking it in the Project Explorer and selecting SonarLint -> Analyze from the context menu. Issues are displayed in the SonarLint Report view. Clicking a bug brings up the suspect code in the editor:
Figure 4: Report View
Configuring the Ruleset
SonarLint maintains a long list of rules that are executed on source code to generate issues. You can select exactly which rules you want to include in analyses via the Rules Configuration dialog. To access it:
- Bring up the Preferences dialog via Window -> Preferences from the main menu.
- From there, expand the SonarLint item in the left-hand treeview and click the Rules Configuration item.
It shows the rulesets for various languages. If you expand the Java item, you’ll see all of the rules for it—both active and inactive:
Figure 5: The rulesets
You then can activate or deactivate individual rules by selecting or deselecting the associated checkbox.
Binding Projects
Although the the Rules Configuration dialog is well suited to the individual developer, it’s not going to be much help for teams of developers working on the same project(s). For that, you need to connect to SonarCloud or to a SonarQube server. That will not only synch rules, but also issues and exclusions as well. SonarCloud is free for open source projects.
- First, bring up the SonarQube Servers View.
Then, either click the “Connect to a SonarQube server…” link OR right-click anywhere in the view and select New -> Server connection… from the context menu.
The Connect to a SonarQube Server dialog then will appear, with a choice to connect to SonarCloud or to a SonarQube server.
Let’s proceed to bind our project to SonarCloud.
- Make sure that the SonarCloud radio button is selected and click the Next > button.
- You’ll need an authentication token to use the service. If you have one, you can enter it here. Otherwise, click the Generate token button. That will open a browser and load the SonarCloud login page. There, you can log in (or Sign up) to SonarCloud using your Bitbucket, GitHub, or VSTS account.
- Once you’ve got access to the SonarCloud site, you can generate tokens. Give your token a name and click the Generatebutton. Your new token then will appear below the button:
Figure 6: Generating a token - Click the Copy button to store the token on the Clipboard.
- The next step will be to add your organization to the Organizations page. Click the Organizations link in the main navbar to go there.
- Upon logging in, SonarCloud automatically created a default Personal Organization for you. You’ll need to use that name in a moment. If you like, you also can create a new organization via the Createbutton:
Figure 7: Creating a new organization - Back on the Connect to a SonarQube Server dialog, paste your new token into the Token text field and click Next >.
- On the next screen, enter your organization name. As you type, a list of matches from the SonarCloud database will appear in a list underneath the textbox. Choose the matching name from the list and click Next >.
- The next screen shows your full Connection name. Again, click Next >.
- The last screen shows the success message and an option to receive notifications about server events. Click Finish.
This will add SonarCloud to the SonarQube Servers view and also activate issue detection in additional languages, depending on your IDE.
To bind your project to SonarCloud:
- Right-click your project in Project Explorer and select SonarLint -> Bind to a SonarQube project from the context menu.
- Then, on the Bind Eclipse projects to SonarQube projects dialog, make sure that the checkbox beside your project is selected and click Finish:
Figure 8: Binding the project
Conclusion
The SonarLint plug-in for Eclipse is indeed a powerful ally in the quest for high quality code. Use it in conjunction with similar tools such as SpotBugs and JUnit tests for optimal code coverage.
