SonarQube is an open source code quality management platform used to detect code defects, security vulnerabilities, code odors, duplicate code in more than 20 languages such as Java, and evaluate test coverage and complexity. 1. Install the SonarQube server and access http://localhost:9000 to complete initialization; 2. Configure the SonarScanner tool or use the Maven/Gradle plug-in; 3. Create the sonar-project.properties file in the project root directory, specify the project information, source code path, compilation output and test report path; 4. Use Jacoco to generate a test coverage report, and configure prepare-agent and report execution through the Maven plug-in; 5. Run the mvn clean verify sonar:sonar or sonar-scanner command, and submit the analysis results in combination with the -Dsonar.login token authentication. Key rules include avoiding empty catch blocks, controlling circle complexity, eliminating duplicate code, ensuring more than 80% test coverage, and handling security hotspots. Quality access control can be enforced in CI processes such as Jenkins or GitHub Actions via custom quality thresholds (such as new code coverage ≥80%, zero serious problems, duplicate code

Java code quality and static analysis are key links to ensure long-term maintainability and stability of projects, and SonarQube is one of the most popular code quality management platforms at present. It can help development teams automatically detect potential flaws, code odors, security vulnerabilities and duplicate code in code, thereby continuously improving code quality.

What is SonarQube?

SonarQube is an open source platform for continuous inspection of code quality. It supports more than 20 programming languages including Java, and provides insights into the following dimensions by statically analyzing source code:

• Bug detection : Found a code problem that may cause runtime errors.
• Vulnerability identification : Detect security issues, such as SQL injection, hard-coded passwords, etc.
• Code Smell : Points out code with poor structure and difficult to maintain.
• Repeat code : Identify duplicate code blocks to reduce maintenance costs.
• Test coverage : Integrate unit test reports to evaluate code coverage.
• Complexity analysis : measure the circle complexity of classes and methods to avoid excessive complexity.

How to integrate SonarQube into Java project?

To apply SonarQube to a Java project, the following steps are usually required:

1. Install and start the SonarQube server

   • Download SonarQube (Community Edition for free) and start the service (default port 9000).
   • Visit http://localhost:9000 to complete the initial configuration.

2. Configure SonarScanner

   
   • SonarScanner is a command-line tool for performing analysis and needs to be downloaded and configured into the system path.
   • Or use the Maven/Gradle plug-in to integrate more easily.

3. Add configuration files to the project

   • Create a sonar-project.properties file in the project root directory, content example:

      sonar.projectKey=my-java-project
     sonar.projectName=My Java Project
     sonar.projectVersion=1.0
     
     sonar.sources=src/main/java
     sonar.tests=src/test/java
     sonar.java.binaries=target/classes
     sonar.java.test.binaries=target/test-classes
     
     sonar.junit.reportPaths=target/surefire-reports
     sonar.jacoco.reportPaths=target/jacoco.exec

4. Generate code coverage report (Jacoco recommended)

   • If using Maven, add the Jacoco plugin:

      <plugin>
         <groupId>org.jacoco</groupId>
         <artifactId>jacoco-maven-plugin</artifactId>
         <version>0.8.11</version>
         <executions>
             <execution>
                 <goals>
                     <goal>prepare-agent</goal>
                 </goals>
             </execution>
             <execution>
                 <id>report</id>
                 <phase>test</phase>
                 <goals>
                     <goal>report</goal>
                 </goals>
             </execution>
         </executions>
     </plugin>

5. Running analysis

   • Execute the command:

      mvn clean verify sonar:sonar \
       -Dsonar.login=your-token \
       -Dsonar.host.url=http://localhost:9000

   • Or use SonarScanner:

      sonar-scanner -Dsonar.login=your-token

Note: It is recommended to use the user token generated by SonarQube for authentication, rather than the plaintext username and password.

Key Quality Rules and Best Practices

SonarQube has hundreds of rules built in, and here are some that are particularly worthy of attention in Java projects:

• Avoid empty catch blocks
  catch(Exception e) {} will mask the exception and should at least log logs.

• Reduce circle complexity (Cyclomatic Complexity)
  The method is too complex (default > 10 alarms) means it is difficult to test and maintain, and the logic should be split.

• Eliminate duplicate code
  SonarQube will mark similar code blocks, prompting to extract public methods or classes.

• Ensure unit test coverage
  It is recommended to set a minimum coverage threshold (such as row coverage ≥80%) and to be mandatory checks in the CI process.

• Security Hotspots
  Such as hard-coded credentials, unsafe random number generation ( Math.random() is used in safe scenarios), etc.

You can customize quality thresholds in the SonarQube interface, for example:

• The coverage rate of new codes is ≥ 80%
• Zero serious (Blocker) problem
• Number of repeated lines of code

These rules can be enforced in the project continuous integration (CI) process, such as integrating SonarQube scans in Jenkins or GitHub Actions, and blocking merges if they fail.

Tips: Avoid common pitfalls

• Compiled classpath configuration error
  Make sure sonar.java.binaries points to the correct compiled output directory (such as target/classes ), otherwise some rules will not take effect.

• The test report path is incorrect
  If sonar.junit.reportPaths and sonar.jacoco.reportPaths are not configured correctly, the coverage will be displayed as 0.

• Incremental analysis vs full analysis
  SonarQube performs full analysis by default. If you only analyze the change code, you can use sonar-scm-provider-git plug-in to cooperate.

• Chinese annotations lead to coding problems
  Ensure that the source code file is UTF-8 encoding to avoid analysis failures due to character set problems.

Basically that's it. What makes SonarQube powerful is that it turns code quality into a measurable and traceable process. For Java projects, integrating SonarQube is not complicated, but the long-term benefits are very significant - fewer online bugs, better maintainability, and more efficient teamwork.

The above is the detailed content of Java Code Quality and Static Analysis with SonarQube. For more information, please follow other related articles on the PHP Chinese website!