Introduction

SonarQube is a tool that helps you catch bugs and vulnerabilities in your SAP CPQ app written Ironpython scripting. Working together with PYLint and Unit tests, it provides a great code quality scan.

On this blog, I will show you how to set up SonarQube and run locally over a Ironpython scripts folder project. Then, we will improve SonarQube analysis by adding PYLint reports.

What is SonarQube?

SonarQube is a popular continuous inspection tool for code quality and code security that aims to help development teams ship better software. It functions as an automatic code review tool with support for more than 30 programming languages.

SonarQube easily interfaces with CI pipelines and DevOps builds to make code inspection swift and efficient for engineers. It is also self-managed, satisfying the need for developers to ship quality and maintainable code at a fast pace.

Installing SonarQube on Docker

Getting SonarQube on Docker simply involves grabbing the image from Docker Hub. If you use a Linux machine, you’ll need to set the recommended base configurations using the commands provided by Docker under “Docker Host Requirements”.

Next, launch the Docker daemon in a separate terminal. On the terminal, run the below command to start a server:

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

You can access the SonarQube instance with the host IP address and the specified port (localhost:9000, in our example).  http://localhost:9000/

When the SonarQube portal homepage appears, go ahead and log in; use the default username and password (“admin”). Next, you’ll be asked to update your password:

Select the “Manually” option. (If you want setup SonarQube with GitHub or another platform then select that option)

Enter the “display name” and “key” and click “Set Up”.

Now select the “Locally” option. Because we are going to setup in our local machine.

Enter the token name and click the “Generate” button. You will get the sonar token. 

Save that token and Click “Continue” and Choose your project language.

Download the Scanner zip file from the link and Extract it.

https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/

Copy all folders and paste them somewhere and add the “bin” directory path under the PATH environment variable

Let’s Run your code Anaysis

Running a SonarQube analysis is now very simple. You just need to execute the following commands in your project’s root folder. The command runs a sonar check for your whole project.

sonar-scanner.bat -D"sonar.projectKey=test-key" -D"sonar.sources=." -D"sonar.host.url=http://localhost:9000" -D"sonar.login=<sonar-token-here>"
// Here replace <sonar-token-here> above generated token

sonar-scanner.bat -D"sonar.projectKey=test-key" -D"sonar.sources=<file-or-folder-path-here>" -D"sonar.host.url=http://localhost:9000" -D"sonar.login=<sonar-token-here>"

After the above command runs successfully, you can check the results on your SonarQube project page http://localhost:9000/

Sonar report will automatically infer the project name from your code. i.e., the final report will not have test-key as the project name but your actual project name.

Code Smell Issues

SAP CPQ Script suggests from Code Smell to make some changes.

Final Thoughts

SonarQube is a great tool for checking the quality of code and also supports more than 25 languages. I hope you have liked it and know about SonarQube and how to setup it in a local machine.

Note

We can discuss about CI configuration on another time. The main goal here was to run and use SonarQube locally.