In the previous several blogs, we discussed automating/integrating several aspects of SDLC. We discussed Jenkins configuration, Building and compiling source code, integrated testing with our pipeline, notifications and so on. Now, here’s one more aspect of SDLC, code analysis. For this, we will integrate different tools with our pipeline which will analyse on the basis of the best practice essential for the development of code.
Let’s start analysing code and obviously with the help of both kind of projects:
So, here we proceed !!
Code Analysis tool is to analyse the code for vulnerabilities, bugs, code complexity and test coverage. Code Analysis is basically responsible for code quality which will help in removing duplicated code and reports of code complexity and code coverage also. There are various kinds of code analysis tools present in the market like:
Code analysis done on code without actually executing the code program. Code analysis assists project team(s) in stopping problems before they actually surface. If an organization is not able to identify vulnerabilities at the correct time, it can lead to higher cost, increased maintenance efforts, Business disruption and performance also will be affected
DevOps Training & Certification Course
The Jenkins Next Generation plugin helps in analyzing code, collects all warnings, and helps in visualizing the records through pie charts and graphs. This plugin replaces the entire Jenkins Static Analysis suite. Various other plugins become obsolete now after the launch of this like:
This will enable the reporting of check style results, with a configuration file(required). Put your checkstyle.xml file which is required to have all modules utilized to capture the results, if the developer’s code is following best practice or not.
Report File Pattern -- Provide file(s) path from where to generate detailed reports and graphs.
Report Encoding -- whether
UTF-8 or ISO-8859-1 etc., I chose the default.
Custom ID - Any unique ID, apart from default “checkstyle"
Custom Name -- Unique Name, apart from default “checkstyle”.
Aggregate results -- To combine end reports of all defined tools
Fail on Errors -- Fails the build, if errors have been reported.
Quality Gate -- Similarly, you can specify a quality gate with threshold value to make build fail/unstable.
This will give you an overall result in the form of different pie-charts and graphs. In the pie charts, it will show you Severities distribution on the basis of -
In the below, you will see details on the basis of “categories”, “types” and “issues”. Just go through all these to have a better understanding.
This checkstyle will run on your overall code and try to capture all best practices and vulnerabilities on the ruleset defined in the corresponding xml file( e.g. checkstyle.xml, in this case). Resolve on the basis of priority and severity and proceed. This is how you can integrate your check style warnings in freestyle projects. Graphs will also determine the number of severities fixed from the last run.
On a high level, it will show:
For similar discussions like above, in the pipeline we can use:
To scan and publish static analysis scans and reports. E.g. for scan, following line to be added in “post” block
scanForIssues tool: checkStyle(pattern: '**/target/checkstyle-results.xml')
Sonarqube is the most widely known tool used for static analysis. It will help in catching bugs and vulnerabilities also in your project.
We will use SonarScanner to scan code and will connect to Sonarqube instances. Sonarscanner is available as Jenkins and Maven Plugin.
1. We will use the Community edition of Sonarqube for this blog which comes with its own ES and DB set up. Download latest Sonarqube Community Edition, as a non-root user, start sonarqube server after unzipping the zip file:
2. Open URL
Open your pom.xml and include the following code. We will be using default tool “Jacoco” for code coverage:
Provide a user-defined name and Server URL. For Server Authentication token, go to your Sonarqube server, click on User at top right, select My Account
Go to the Security Section, Provide token name under “Generate Tokens” and click Generate. Copy the token and go back to Jenkins. Click on “Add”.
There can be an issue that ADD will not pop up anything, just save the configuration and come back. Click on Add → Jenkins → Select “Secret Text” and add the generated Token there with proper ID(otherwise, it will take a random ID). I provided an ID as “sonarqube-token”.
Proceed to Manage Jenkins → Global Tool Configuration → Sonarqube Scanner. Click on Add Sonarqube Scanner
Now, Proceed to Job configuration. Update maven goals section with “verify sonar:sonar install”. Provide sonar host url in Maven properties section:
From Build Step, Select “Execute Sonarqube Scanner”
In this section, we will update “Analysis properties” only with following values:
# Metadata Info
sonar.projectKey= //User Declared
# Tests Configuration
Press Save and Build.
Code will be scanned successfully and you can check from Console output also. Once completed, your Jenkins dashboard will look like:
Click on Link from Jenkins, it will open your Sonarqube instance with project key specified in job’s configuration:
I was having 2 projects running, so it is showing two instances in my case. As it was a sample project, so no coverage happened but there is 1 “code Smells” issue. Similarly, go through your analysis and rectify problems as per priority /severity.
This is how Sonarqube is integrated with Jenkins using the Freestyle project.
Your sample Jenkinsfile will look like:
After successful completion, verify your Sonarqube instance:
In this blog, we discussed integrating code analysis tools with Jenkins and how code analysis can help in your project. Happy coding and do let me know if stuck anywhere while trying. In the next blog, we will discuss master-slave architecture in Jenkins, how to manage different nodes for different jobs. See you soon discussing some more interesting stuff on another blog!!
Hope this helps.
A dynamic, highly professional, and a global online training course provider committed to propelling the next generation of technology learners with a whole new way of training experience.
MS SQL Server
Receive Latest Materials and Offers on DevOps Course