In our most recent projects, we wanted to have better control of the quality of the code that we deploy. For that, we need a tool capable of making an analysis of the code before we deploy it to the servers, and even better, one that is capable of showing the developers the problems before they submit their code.
All of this, we can achieve with two tools from the same ecosystem. They are SonarQube and SonarLint. Let’s look at how they can help us.
Brief introduction to SonarQube
SonarQube is an open source tool suite to measure and analyze the quality of source code. It is implemented in Java language and is able to analyse the code of about 20 different programming languages. Anything that affects code base, from minor styling details to critical design errors, is inspected and evaluated by SonarQube, which helps our developers to identify the issue and its effect.
SonarQube is perfect to use in a CD/CI environment, as a tool capable of analyzing the code before it’s deployed. Is our code good enough to deploy? Should we put on hold the deploy until the code quality matches a set standard? SonarQube gives us the data we need to make these decisions.
More info about SonarQube on this page.
Brief introduction to SonarLint
SonarLint is a plugin for various IDE applications, like Eclipse or IntelliJ IDEA, that functions as a local SonarQube code analysis tool. It helps developers fix code quality issues before uploading the code to the repository. It can make a new analysis over the changed parts of a file when saved or analyse a whole project (or file) on demand.
SonarLint is a marvellous tool for our projects, since it serves the purpose of making the analysis of the code during the development process. This way, the developers can prevent and correct issues before submitting their code. It also can be linked to a SonarQube server to update the analysis rules when they are changed by the project manager or the QA team, so that the whole team follows the same rules.
More info about SonarLint on this page.
Current SonarQube installation
Currently in our company we have two SonarQube installations in different machines in our local network. One of them can be linked with a local SonarLint and it is meant to be used by our teams in their projects.
The other installation is an older version that is currently only being used by the QA team. This SonarQube can not work fine with SonarLint, but it is very useful for testing new rules and configurations before using them in the main one.
How to install SonarLint in HCL Rational Application Developer
SonarQube analysis is run on the code that is already in the repository, but SonarLint is integrated in each developer IDE. This means, in our Commerce projects, that it needs to be integrated in HCL Rational Application Developer, which is IBM’s RAD under a different name, at least until HCL publishes their first revision of the IDE. RAD is based on Eclipse, with all the tools and plugins IBM decided to integrate to make it the perfect tool to use when developing a Websphere Commerce (now HCL Commerce) e-commerce application.
One of IBM RAD ‘s most rigid characteristics for the developers is that it’s been conceived as an immutable black box, not giving the developers the possibility of easily adding or integrating tools or plugins as in basic Eclipse. This restriction can be and must be overcome to install SonarLint, and the process is relatively simple. The following steps show how to install SonarLint in the RAD IDE for Websphere Commerce version 9.X
- First of all, with RAD closed, we need to locate the JRE that RAD uses to launch the IDE. Same as Eclipse, it is started as a Java application, associated with a JRE instance.
- Once there, we need to edit the java.security file, located in the lib/security/ directory. We will want to restore the file contents later, so making a backup of the file is a good idea. The file can be edited with any plain text edition program. In the file, we need to locate the entries starting with “ssl.KeyManagerFactory” and “ssl.TrustManagerFactory”, and empty their values. This is to prevent RAD from being unable to connect to the host of the files required for the installation of the plugin. Edit those values and save the changes.
- Now open RAD, and when it’s ready, access the option “Eclipse Marketplace…”, located in the header Help menu. When opened, we can simply search for “SonarLint” and it should show something like this:
- We select the Install link to start the process. It is quite a straightforward process that only requires to press “Next” when prompted. Once it finishes, the process will probably say that to apply the changes it is required to restart RAD. Even if it doesn’t say so, close it.
- Now go back to the java.security file and restore the changes you made. If you made a backup of the original file, now is the time to use it. If you didn’t, recover the contents as they were, save and close the file.
- The process is finished. Next time you launch RAD, it might require a bit more time than normally to start the toolkit, but SonarLint will be available.
SonarLint views in RAD
SonarLint has four views to show or manage different data:
- SonarLint Report: shows all the rule violations detected in the complete scope of the last analysis, no matter what element or code file we are currently in.
- SonarLint On-The-Fly: shows all the rule violations detected in the code file we are currently in. Its layout and the data it shows is identical to SonarLint Report.
- SonarLint Rule Description: Shows the documentation about the selected code violation. To show here an specific error, we can either select it in SonarLint Report or SonarLint On-The-Fly, or make a hover on a line marked with a rule violation and select the option “Open description of rule” in the tooltip.
- SonarQube Servers: Manages the SonarQube servers that are linked to SonarLint and the relationship between the code projects and SonarQube projects. More on this topic in the next point.
Binding SonarLint to SonarQube
Although SonarLint can be very powerful by itself, it works better when it is linked to SonarQube. This link (referred in the tool as “binding”) enables the option for teams to manage the rules set in one place (SonarQube) and apply those rules on multiple places (SonarLint in the development team machines) via an automated upload process.
The only thing required is to have an analysis made in SonarQube, and to bind both tools. Having an analysis made in SonarQube is important because of the way the binding works. If SonarLint binds to a SonarQube project that doesn’t exist or is not binded to any SonarQube server, it would analyze the code with the default set of rules defined by SonarQube and SonarLint’s creators. This set of rules is quite good by itself, but some teams might want to customize their set of code rules, and the set of rules to use is set in SonarQube and then applied by SonarLint thanks to this binding.
- To make this link, first of all you will need to add the SonarQube server in the view SonarQube Servers. If you have no SonarQube server linked, the view will show a link to create a connection. If you already have a connection configured, simply do right-click, select New, and Server connection.
- Make sure to select the option “Connect to a server”, and click Next. In the next step, introduce your SonarQube server’s url.
- In the next two steps, you have to select your identification option for the server, and introduce the authentication data. There are two options: either your username and password to access SonarQube, or a token (generated in SonarQube). This requires you to have an account in the SonarQube server, but it doesn’t need to be an administrator account.
- Write an alias for the connection (it will be shown in the view) and the process is finished.
- A new window will pop-up, suggesting you to bind a local project to SonarQube. Select the button “Add”, select the desired project in the list, and click Next.
- In the next step, introduce the SonarQube project id. This is the id in SonarQube, if you already did an analysis with SonarQube, which not necessarily is the same as the shown name of the project. This id is set when making the first analysis in SonarQube. Once this step is finished, click finish in the wizard and the IDE will make the operations for the binding. Done!
Changing rules in SonarQube
SonarQube manages different sets of analysis rules via what it calls as Quality Profiles. If you need information about the process of changing the rules, you can find the official documentation here. Just know that these changes won’t apply immediately to SonarLint.
Pay attention in SonarQube to the quality profiles selected for your project. You can see them on the main page of the dashboard of the project. These are the rules sets applied in SonarQube analysis, and will be the ones used by SonarLint after the next section.
Updating SonarLint’s rules
When you have made some customization to the analysis rules in SonarQube or changed the rules set, surely you will want to share the changes to the team. That’s easy to do, and requires little effort from your team members:
- They need to go to the view SonarQube Servers, and select the configured server. Right-click, select “Update all project bindings”, then wait for the background process to finish.
Now SonarLint will use the rules set selected in SonarQube when analyzing the project.