Sonar Code Quality Analysis
Sonar is a powerful tool for continuous code quality inspection, supporting various languages and providing detailed insights into codebase quality. It can be used both as a standalone tool on your local machine or integrated into a CI/CD pipeline like GitHub and GitLab.
Setting Up sonar-project.properties​
To begin using Sonar, you need to create a sonar-project.properties file in the root of your project. This file contains all the necessary configurations for Sonar to analyze your project.
|---lib
|---analysis_options.yaml
|---pubspec.yaml
|---sonar-project.properties
Here is an example of a basic sonar-project.properties file:
# Required metadata
sonar.projectKey=yourproject_key
sonar.organization=yourOrg
# Exclude specific file types from the analysis
sonar.c.file.suffixes=-
sonar.cpp.file.suffixes=-
sonar.objc.file.suffixes=-
# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
#sonar.sources=.
# Encoding of the source code. Default is default system encoding
sonar.sourceEncoding=UTF-8
# External issues report path which the result of "dcm run --analyze --reporter=sonar lib > ./dcm-quality-report.json"
sonar.externalIssuesReportPaths=dcm-quality-report.json
Key Configuration Details​
- sonar.projectKey: A unique identifier for your project in Sonar.
- sonar.organization: The organization under which your project is hosted on Sonar.
- sonar.sourceEncoding: Specifies the encoding of your source files.
- sonar.externalIssuesReportPaths: Specifies the path to any external issue reports you want Sonar to include in its analysis. This file is generated by DCM CLI by running
dcm run --analyze --reporter=sonar lib > ./dcm-quality-report.json
Generating and Using JSON Reports with Sonar​
DCM CLI can generate a report in different formats including JSON format compatible with Sonar.
For instance, if you want to run a DCM analysis and generate a report compatible with Sonar, you can use the following command:
dcm run --analyze --reporter=sonar lib > ./dcm-quality-report.json
This command will analyze the lib directory and output the results to dcm-quality-report.json, which can then be referenced in your sonar-project.properties file using the sonar.externalIssuesReportPaths property.
Running Sonar Locally​
To run Sonar analysis locally, you'll need to install the Sonar scanner. You can download the scanner from the official SonarQube website and follow the installation instructions.
Once installed, you can execute the following command in your project directory:
sonar-scanner
This command will read the sonar-project.properties file and perform the analysis based on the configurations specified. The results will be uploaded to your SonarQube server or SonarCloud account.
Sonar Cloud​
If you are using the Cloud version, you just need to ensure that your CLI is fully integrated with Sonar. For more detailed information on integrating Sonar with different platforms, visit the following links:
- Sonar & GitHub Integration
- Sonar & GitLab Integration
- Sonar & Bitbucket Integration
- Sonar & Azure DevOps Integration
Sonar Dashboard​
When the report is uploaded this is how it looks in Sonar dashboard where it shows a list of issues:
When you click on an issue, you will see the source code, error line and some metadata including the category of error, rule name and etc:
If you are unsure how to fix the error, you can find the DCM documentation link and read more:
Example GitLab CI Integration​
While Sonar can be used independently, integrating it with your CI/CD pipeline can automate the analysis process. Below is an example .gitlab-ci.yml file that demonstrates how to run Sonar as part of your GitLab CI pipeline:
stages:
- test
variables:
DCM_VERSION: "1.21.2-1" # Specify DCM version (e.g., "1.21.2-1")
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
dcm:
stage: test
image: dart:stable
before_script:
- apt-get update -qy
- apt-get install -y --no-install-recommends wget gnupg2
script:
- wget -qO- https://dcm.dev/pgp-key.public | gpg --dearmor -o /usr/share/keyrings/dcm.gpg
- echo 'deb [signed-by=/usr/share/keyrings/dcm.gpg arch=amd64] https://dcm.dev/debian stable main' | tee /etc/apt/sources.list.d/dart_stable.list
- apt-get update
- apt-get install dcm=$DCM_VERSION
- dcm run --analyze --reporter=sonar lib > ./dcm-quality-report.json
artifacts:
untracked: true
paths:
- ./dcm-quality-report.json
sonarcloud-check:
stage: test
when: always
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- sonar-scanner
needs:
- job: dcm
artifacts: true
Pipeline Overview​
- DCM Job: Runs the DCM analysis and generates a JSON report.
- Sonar Job: Uses the
sonarsource/sonar-scanner-cliDocker image to upload the analysis results to Sonar. This setup ensures that your code quality is continuously monitored as part of your development process.
Check out full documentation on Sonar & GitLab Integration.
To set up Sonar integration for another platform (e.g. GitHub), refer to Sonar documentation for that platform.