SonarQube Should I stay or should I go ?

Jérémie Fays – 3 June 2015

Stay if you want to hear…

•  What is SonarQube ?

•  What is available at Interface ?

SonarWhat ?

Developers –  Maintenability

–  Good programming practises

–  Bugs

Tech transfer –  Info on software maturity

–  Better valuation

–  Preparation for a due diligence (Technical Debt)

Static code analysis

Sonar not what !

What it doesn’t do : •  Performance analysis (memory, CPU)

•  Conformity to requirements specifications

•  Expertise on architecture and technological choices

SonarWhat ?

Open source (LGPL v3)

Developped by a Swiss company : SonarSource

Used by major companies (Thales, Cisco, Siemens, Adobe, Tom-Tom…)

Supports more than 20 programming languages

Supported languages

Free –  Java / groovy

–  Python

–  Web

–  Android

–  C++

Commercial

–  C/C++/objective C

–  Visual Basic

–  COBOL

–  Swift

Not supported –  Fortran

–  Matlab

–  R

–  Pascal

Ulg softwares

SonarQube

Basic metrics : LOC

•  LOC = Lines of Code

•  Useful for reporting

•  Sometimes used in software valuation (Cocomo II)

Complexity

= number of ways to run through code

In practise : if, while, for… à +1

Guide value : complexity /function should be less than 8.

Code duplication

Code blocks duplicated ? Make it a function !

Guide value : no

Comments

Comments help maintenance and transferability

Guide value : 20-40%, but very variable

Code coverage

Percentage of code covered by unit tests

Guide value : >80%

Issues

•  Possible bugs

•  Security issues

•  Coding rules / style

•  Show « magic numbers »

Guide value : no blocker or critical errors.

Example

Technical debt

= effort needed to solve all « code quality » issues

Guide value : no.

SonarQube, in short

•  A set of « quality » metrics

•  Better use : day-to-day

…or even continuous integration !

Situation at Interface

A continuous improvement

•  Software protection and licenses http://www.interface.ulg.ac.be/docs/Researchers_Guide.pdf

Fossology installed and running

•  Software quality

http://www.interface.ulg.ac.be/docs/Metriques-qualite-logiciel.pdf

SonarQube installed and running + C/C++ commercial plugin

Our SonarQube instance

Samba

Script

SonarQube : our services

•  Snapshot analysis –  A first contact with SonarQube

•  Preparation for a transfer –  Before a tech transfer (license or spin-off)

–  Before opening the code

•  Operational use –  Day-to-day use of our SonarQube instance

Future

Continuous integration with Jenkins ?

Conclusions

•  SonarQube is useful for : –  Short term quality mission

–  Day-to-day use (up to continuous integration)

•  A SonarQube instance is available at ITF :

–  Commercial C/C++ plugin installed

–  One shot analysis

–  Account creation for day-to-day use

è Contact me !

Thanks !

Jérémie Fays j.fays@ulg.ac.be

+32 4 349 85 21

www.linkedin.com/in/jeremiefays