Teams+

Sonar Code Quality Analysis

Sonar is a powerful tool for continuous code quality inspection, supporting various languages and providing detailed insights into codebase quality. It can be used both as a standalone tool on your local machine or integrated into a CI/CD pipeline like GitHub and GitLab.

Setting Up `sonar-project.properties`

To begin using Sonar, you need to create a sonar-project.properties file in the root of your project. This file contains all the necessary configurations for Sonar to analyze your project.

|---lib
|---analysis_options.yaml
|---pubspec.yaml
|---sonar-project.properties

Here is an example of a basic sonar-project.properties file:

sonar-project.properties
# Required metadata
sonar.projectKey=yourproject_key
sonar.organization=yourOrg

# Exclude specific file types from the analysis
sonar.c.file.suffixes=-
sonar.cpp.file.suffixes=-
sonar.objc.file.suffixes=-

# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
#sonar.sources=.

# Encoding of the source code. Default is default system encoding
sonar.sourceEncoding=UTF-8

# External issues report path which the result of "dcm run --analyze --reporter=sonar lib > ./dcm-quality-report.json" 
sonar.externalIssuesReportPaths=dcm-quality-report.json

Key Configuration Details

sonar.projectKey: A unique identifier for your project in Sonar.
sonar.organization: The organization under which your project is hosted on Sonar.
sonar.sourceEncoding: Specifies the encoding of your source files.
sonar.externalIssuesReportPaths: Specifies the path to any external issue reports you want Sonar to include in its analysis. This file is generated by DCM CLI by running dcm run --analyze --reporter=sonar lib > ./dcm-quality-report.json

Generating and Using JSON Reports with Sonar

DCM CLI can generate a report in different formats including JSON format compatible with Sonar.

For instance, if you want to run a DCM analysis and generate a report compatible with Sonar, you can use the following command:

dcm run --analyze --reporter=sonar lib > ./dcm-quality-report.json

This command will analyze the lib directory and output the results to dcm-quality-report.json, which can then be referenced in your sonar-project.properties file using the sonar.externalIssuesReportPaths property.

Running Sonar Locally

To run Sonar analysis locally, you'll need to install the Sonar scanner. You can download the scanner from the official SonarQube website and follow the installation instructions.

Once installed, you can execute the following command in your project directory:

sonar-scanner

This command will read the sonar-project.properties file and perform the analysis based on the configurations specified. The results will be uploaded to your SonarQube server or SonarCloud account.

Sonar Cloud

If you are using the Cloud version, you just need to ensure that your CLI is fully integrated with Sonar. For more detailed information on integrating Sonar with different platforms, visit the following links:

Sonar Dashboard

When the report is uploaded this is how it looks in Sonar dashboard where it shows a list of issues:

Sonar issues

When you click on an issue, you will see the source code, error line and some metadata including the category of error, rule name and etc:

Sonar Issue Code

If you are unsure how to fix the error, you can find the DCM documentation link and read more:

Sonar Find DCM DOC

Example GitLab CI Integration

While Sonar can be used independently, integrating it with your CI/CD pipeline can automate the analysis process. Below is an example .gitlab-ci.yml file that demonstrates how to run Sonar as part of your GitLab CI pipeline:

stages:
  - test

variables:
  DCM_VERSION: "1.21.2-1"     # Specify DCM version (e.g., "1.21.2-1")
  SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
  GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task

dcm:
  stage: test
  image: dart:stable
  before_script:
    - apt-get update -qy
    - apt-get install -y --no-install-recommends wget gnupg2
  script:
    - wget -qO- https://dcm.dev/pgp-key.public | gpg --dearmor -o /usr/share/keyrings/dcm.gpg
    - echo 'deb [signed-by=/usr/share/keyrings/dcm.gpg arch=amd64] https://dcm.dev/debian stable main' | tee /etc/apt/sources.list.d/dart_stable.list
    - apt-get update
    - apt-get install dcm=$DCM_VERSION
    - dcm run --analyze --reporter=sonar lib > ./dcm-quality-report.json
  artifacts:
    untracked: true
    paths:
      - ./dcm-quality-report.json

sonarcloud-check:
  stage: test
  when: always 
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - sonar-scanner
  needs:
    - job: dcm
      artifacts: true

Pipeline Overview

DCM Job: Runs the DCM analysis and generates a JSON report.
Sonar Job: Uses the sonarsource/sonar-scanner-cli Docker image to upload the analysis results to Sonar. This setup ensures that your code quality is continuously monitored as part of your development process.

Check out full documentation on Sonar & GitLab Integration.

To set up Sonar integration for another platform (e.g. GitHub), refer to Sonar documentation for that platform.

Setting Up sonar-project.properties​

Key Configuration Details​

Generating and Using JSON Reports with Sonar​

Running Sonar Locally​

Sonar Cloud​

Sonar Dashboard​

Example GitLab CI Integration​

Pipeline Overview​