Ultimate and Easy Ways About Jenkins Code Analysis To make you Successful

Introduction

In the previous several blogs, we discussed automating/integrating several aspects of SDLC. We discussed Jenkins configuration, Building and compiling source code, integrated testing with our pipeline, notifications and so on. Now, here’s one more aspect of SDLC, code analysis. For this, we will integrate different tools with our pipeline which will analyse on the basis of the best practice essential for the development of code. 

Let’s start analysing code and obviously with the help of both kind of projects:

• Freestyle
• Pipeline/Multibranch Pipeline

So, here we proceed !!

What is Code Analysis?

Code Analysis tool is to analyse the code for vulnerabilities, bugs, code complexity and test coverage. Code Analysis is basically responsible for code quality which will help in removing duplicated code and reports of code complexity and code coverage also. There are various kinds of code analysis tools present in the market like:

• Sonarqube (Widely utilized, approved and accepted)
• SourceMeter
• Veracode
• Coverity 
• Findbugs
• PMD
• Checkstyle
• EMMA etc.

Code analysis done on code without actually executing the code program. Code analysis assists project team(s) in stopping problems before they actually surface. If an organization is not able to identify vulnerabilities at the correct time, it can lead to higher cost, increased maintenance efforts, Business disruption and performance also will be affected

Jenkins - Code Analysis

The Jenkins Next Generation plugin helps in analyzing code, collects all warnings, and helps in visualizing the records through pie charts and graphs. This plugin replaces the entire Jenkins Static Analysis suite. Various other plugins become obsolete now after the launch of this like:

• PMD
• Static Analysis Collector
• Findbugs
• Warning

etc

• Install Warnings Next Generation plugin from Manage Jenkins → Manage Plugins

• Now, as this plugin gives us multiple tools options to analyse, just to note that we will be using “checkstyle” for our demo. Just a prerequisite, in your maven project, you should be using checkstyle plugin in reporting section of pom.xml like below:

This will enable the reporting of check style results, with a configuration file(required). Put your checkstyle.xml file which is required to have all modules utilized to capture the results, if the developer’s code is following best practice or not.

• Proceed to already created freestyle project’s (in previous blogs) configuration page and add one more maven goal in already existing to execute check style on source code, that is: “check style:checkstyle”

• Go to “Post-Build Actions” segment and look for “Record Compiler warnings and static analysis results”

• You will get the below options to choose and fill accordingly. For tool field, observe a list of multiple tools to work upon but as decided, for our example we will be utilizing “checkstyle”, so select that and then we will do the configuration on basis of chosen tool:

1. Report File Pattern -- Provide file(s) path from where to generate detailed reports and graphs.

2. Report Encoding -- whether UTF-8 or ISO-8859-1 etc., I chose the default.

3. Custom ID - Any unique ID, apart from default “checkstyle"

4. Custom Name -- Unique Name, apart from default “checkstyle”.

• You can add multiple tools by clicking the “Add” button depending on the requirement as every tool suffices different types of requirements and having different rulesets.
• Press Advanced and it will open detailed configuration pane but useful one for us are:

  • Aggregate results -- To combine end reports of all defined tools 

  • Issue filters -- If need to include/exclude package, module, class file, etc, define filters and chose select from the drop-down:

1. Fail on Errors -- Fails the build, if errors have been reported.

2. Quality Gate -- Similarly, you can specify a quality gate with threshold value to make build fail/unstable.

• These configurations will be enough. Click Save and build the job.
• Once your maven goals executed successfully, it will start reading from an XML file and record the result as can be checked from console output:
• Go back to the Job dashboard and you will see the “Checkstyle Warnings” link on the left side. Click on the link:

This will give you an overall result in the form of different pie-charts and graphs. In the pie charts, it will show you Severities distribution on the basis of  -

• errors
• High 
• Normal and 
• Low

In the below, you will see details on the basis of “categories”, “types” and “issues”. Just go through all these to have a better understanding.

• On the basis of these warnings provided in the “Details” section, work on your code, resolve it and then re-run the job. You will observe less number of issues next. 

This checkstyle will run on your overall code and try to capture all best practices and vulnerabilities on the ruleset defined in the corresponding xml file( e.g. checkstyle.xml, in this case). Resolve on the basis of priority and severity and proceed. This is how you can integrate your check style warnings in freestyle projects. Graphs will also determine the number of severities fixed from the last run.

On a high level, it will show:

• Total number of warnings in a job
• Fixed and new warnings of build
• Trend reports per build
• Detailed view of warnings/errors per module, package, category and type.
• The detailed report of warnings sorted by severity.

Code Analysis - Pipeline project

For similar discussions like above, in the pipeline we can use:

• scanForIssues and
• publishIssues

To scan and publish static analysis scans and reports. E.g. for scan, following line to be added in “post” block

scanForIssues tool: checkStyle(pattern: '**/target/checkstyle-results.xml')

SONARQUBE - Jenkins Integration

Sonarqube is the most widely known tool used for static analysis. It will help in catching bugs and vulnerabilities also in your project. 

We will use SonarScanner to scan code and will connect to Sonarqube instances. Sonarscanner is available as Jenkins and Maven Plugin.

 

Create Sonarqube Instance

1. We will use the Community edition of Sonarqube for this blog which comes with its own ES and DB set up. Download latest Sonarqube Community Edition, as a non-root user, start sonarqube server after unzipping the zip file:

/opt/sonarqube/bin/linux-x86-64/sonar.sh console

2. Open URL http://:9000 and login with default credentials- admin/admin.

Changes in Source Code

1. Open your pom.xml and include the following code. We will be using default tool “Jacoco” for code coverage:

Configuring Jenkins with Sonarqube

1. Install Sonarqube Scanner plugin 
2. Proceed to Manage Jenkins → Configure System. Look for Sonarqube servers and Add Sonarqube.

3. Provide a user-defined name and Server URL. For Server Authentication token, go to your Sonarqube server, click on User at top right, select My Account

4. Go to the Security Section, Provide token name under “Generate Tokens” and click Generate. Copy the token and go back to Jenkins. Click on “Add”.

5. There can be an issue that ADD will not pop up anything, just save the configuration and come back. Click on Add → Jenkins → Select “Secret Text” and add the generated Token there with proper ID(otherwise, it will take a random ID). I provided an ID as “sonarqube-token”.

6. Click Save.

7. Proceed to Manage Jenkins → Global Tool Configuration → Sonarqube Scanner. Click on Add Sonarqube Scanner

8. Now, Proceed to Job configuration. Update maven goals section with “verify sonar:sonar install”. Provide sonar host url in Maven properties section:

sonar.host.url=http://:9000/

9. From Build Step, Select “Execute Sonarqube Scanner”

10. In this section, we will update “Analysis properties” only with following values:

# Metadata Info
sonar.projectKey= //User Declared
sonar.sources=src/main
sonar.sourceEncoding=UTF-8
sonar.language=java

# Tests Configuration
sonar.tests=src/test
sonar.junit.reportsPath=target/surefire-reports
sonar.surefire.reportsPath=target/surefire-reports
sonar.jacoco.reportPath=target/jacoco.exec
sonar.java.binaries=target/classes
sonar.java.coveragePlugin=jacoco
 

11. Press Save and Build.

12. Code will be scanned successfully and you can check from Console output also. Once completed, your Jenkins dashboard will look like:

Verify Sonarqube Instance

1. Click on Link from Jenkins, it will open your Sonarqube instance with project key specified in job’s configuration:

I was having 2 projects running, so it is showing two instances in my case. As it was a sample project, so no coverage happened but there is 1 “code Smells” issue. Similarly, go through your analysis and rectify problems as per priority /severity.

2. This is how Sonarqube is integrated with Jenkins using the Freestyle project.

SONARQUBE - Jenkins Integration - Pipeline

Your sample Jenkinsfile will look like:

• withSonarQubeEnv -- will take the Name set in Jenkins’ Configuration system
• waitForQualityGate -- will halt pipeline for 10 minutes and wait for the Quality gate to pass
• All the properties we described in the Freestyle project can be configured in sonar-project.properties file and put it in your root location of source code.

After successful completion, verify your Sonarqube instance:

Conclusion

In this blog, we discussed integrating code analysis tools with Jenkins and how code analysis can help in your project. Happy coding and do let me know if stuck anywhere while trying. In the next blog, we will discuss master-slave architecture in Jenkins, how to manage different nodes for different jobs. See you soon discussing some more interesting stuff on another blog!!

Hope this helps.

FaceBook Twitter Google+ LinkedIn Pinterest Email