Introduction to SonarQube & SonarLint

October 20, 2018 0 Comments

Introduction to SonarQube & SonarLint



Blog Introduction to SonarQube & SonarLint
Oct 16, 2018

What is SonarSource?

Sonar is an open source platform used by developers to manage source code quality and consistency. It covers a wide area of code quality checkpoints ranging from styling errors, potential bugs, and code defects to design inefficiencies, code duplication, lack of test coverage, and excess complexity.

 SonatLint & SonarQube

Poor code quality leads to low team velocity, application decommissioning, production crashes, bad company reputation. SonarSource provides the solution to improve Maintainability, Reliability, and Security. SonarSource has been developed with the main objective in mind: make code quality management accessible to everyone with minimal effort.   

SonarQube and SonarLint are products of SonarSource.

SonarQube & SonarLint


SonarQube (formerly known as Sonar) is an open source tool suite to measure and analyze to the quality of source code. It is implemented in Java language and is able to analyze the code of about 20 different programming languages. Anything that affects code base, from minor styling details to critical design errors, is inspected and evaluated by SonarQube, which helps software application developers to identify the issue and its effect.

Sonar tool suite

Main Features

  1. Write Clean Code
    • Overall Health

      Discovered issues can either be Unreachable source code, a Bug, Vulnerability, Code Smell, Coverage or Duplication. Each category has a corresponding number of issues. Dashboard page shows where you stand in terms of quality in a glimpse of an eye.

      Bug & Vulnerability

    • Enfore Quality gate

      To fully enforce a code quality practice across all teams, you need to set up a Quality Gate. A Quality Gate is a set of conditions the project must meet before it can qualify for production release. The overview of the project will show the results of the SonarQube analysis.

      SonarQube analysis

    • Analyze Pull requests

      SonarQube categorizes Issues in the different type. It displays the corresponding number of issues or a percentage value as per different categories.

      There are five different severity levels of Issues like blocker, critical, major, minor and info.

      The issues tab has different filter criteria like category, severity level, tag(s), and the calculated effort (regarding time) it will take to rectify an issue.

      SonarQube category

    • Dig into Issues

      From the issues tab, you have full power to analyze in detail what the main issues are, where they are located when they were added to your code base and who originally introduced them. It provides facility to assign an issue to another user, to add the comment on it, and change its severity level. On Click of a particular issue, shows more description about the issue.

      Sonar Issue Description

  2. Detect Bugs
    • Detect Bugs

      Represents wrong code which has not broken yet but it will probably at the worst possible moment. Examples include null-pointer, memory leaks, and logic errors.

    • Code Smells

      A maintainability-related issue in the code which indicate a violation of fundamental design principles. Code smell technically not incorrect but it is not functional as well. Examples include duplicated code, too complex code, Dead Code, Long Parameter List.

    • Security Vulnerability

      A security-related issue which represents a backdoor for attackers. Examples include SQL injection, hard-coded passwords and badly managed errors.

  3. Multi-Language
    • 20+ Programming Languages

      SonarQube 4.2 and higher version comes with code analyzer for each major programming language.

    • Multi-Language Projects

      We often use multiple programming languages in the software application development – like [C#, C++ and JavaScript] or [Java, JavaScript and HTML]. SonarQube automatically detects the languages and run corresponding code analyzer for each language.

      Sonar Detects language

  4. Centralize Quality
    • All projects in one place

      SonarQube enables the centralized system of storing the code metrics which allows an organization to estimate and predict risks of the project. It will not only simplify the deployment but also allows making a qualitative step forward for the project management, monitor the project status.

      Sonar project status

    • Shared rulesets

      SonarQube provides the facility to create your own quality profiles, in which you can define Sonar Rules which can be shared among different projects.

How it helps for different users in Organization

  • Developers

    As SonarQube provide details of different errors and coding quality level analysis it helps developers to improve the code quality and also helps to improve the coding skills. The developer can improve knowledge about the coding standards, best practices and etc. Regularly use of the SonarQube leads developers to identify the coding standard violations and they tend to adhere to those standards even at the time of coding.

  • Technical management

    SonarQube supports easy integration with version control system to track down the code changes along with developer’s detail who made those changes. This helps to identify the developer’s performance in coding practices.

  • Non-technical management

    Non-Technical management wants to see how measurable code quality going on. They don’t understand complexity and duplications. But with the matrix and total numbers, it is easy to make a decision for each project.

Current Limitation

  • The Roslyn analyzers NuGet packages are currently applied on every project, including those which were excluded from the SonarQube analysis, and the test projects.
  • You are free to change the rulesets for each project manually, and we don’t warn you yet if you loosen the quality by removing rules
  • The main difference between SonarQube and the other tools is that the code analysis runs externally in your CI server (continue integration server) and the result is sent to SonarQube. Then, this analysis is processed by the SonarQube server which is stored in their database. Which will require extra effort in configuring your CI server?

What is SonarLint?

SonarLint is a free, open source, and available in the Visual Studio Gallery, which supports C#, VB.NET which will help you fix code quality issues before they even exist.

SonarLint plugin for Visual Studio supports only in Visual Studio 2015 and Visual Studio 2017.

Features of SonarLint

  1. Instant View

    SonarLint will provide developers with instant feedback in their IDEs as they are writing code, like with a spell checker. SonarLint also shows already existing issues in the code and enables developers to differentiate what issues they introduced.

    SonarLint Instant View

  2. On-the-fly Detection

    Issues appear as you type code. SonarLint provides the facility to identify problems as you write code, just like a spell checker for text.

    SonarLint On the fly Detection

  3. Smart Education

    Error descriptions come with issue detection. It provides Rich documentation which will let you understand issues in details and explain what is coding best practices.

    It gives a code example and shows how to resolve the example issue which is easy to understand the issue. In this way, it is powerful tools for developer developers to learn.

    SonarLint Rich documentation

  4. Push Notifications

    It tracks Quality Gate status like failed, passed, and warning. It also gives an analysis has assigned a new issue to you.

    SonarLint Push Notifications

  5. Connected Mode

    The user can connect to a SonarQube server and bind your Visual Studio solution to a SonarQube project. This operation automatically updates the rulesets of the solution and attaches the solution to the required Roslyn analyzers.

    Connect to a SonarQube server

Difference between SonarLint and SonarQube

SonarLint SonarQube
SonarLint works more like a plugin SonarQube has a server associated with it
SonarLint supports only in the IDE like IntelliJ, Eclipse and Visual Studio. SonarQube is a central server that processes which covers full analyses which need to be triggered by the various SonarQube Scanners.
 It gives instant feedback as you type your code. It give a vision of the quality of your complete project code base.
It concentrates on what you are writing run time while coding. It analyzes all the source code for all files in frequent interval.
SonarLint does not performs scans with 3rd party analyzers SonarQube performs scans with 3rd party analyzers (stylecorp,findBugs, checkstyle, PMD)

TatvaSoft is a CMMi Level 3 and Microsoft Gold Certified Software Development Company offering custom software development services on diverse technology platforms, like Microsoft, SharePoint, Biztalk, Java, PHP, Open Source, BI, Big Data and Mobile.

Tag cloud