SONAR

KATE SEMIZHON

SONARQUBEAN OPEN SOURCE WEB APPLICATION

TO MANAGE CODE QUALITY

WHAT IS SONAR

Sonar covers the 7 axes of code quality

CONTINUOUS INSPECTION

- the practice of measuring your code on a very regular basis

- raises code quality visibility for all stakeholders

- Continuously Improve the code quality

50+ PLUGINS

LANGUAGES

DEV TOOLS

http://docs.codehaus.org/display/SONAR/Plugin+Library/

INTEGRATION

AUTHENTIFICATION &AUTHORIZATION

GOVERNANCE

VIZUALIZATION & REPORTING

ADDITIONAL METRICS

CLIENT LIST

CASE STUDY

“There used to be numerous code-related issues that escalated over time and cost us a lot.”

“SonarQube has triggered a three-fold business impact that we have seen extensively in every project team we have on-boarded – delivery excellence (time to capability reduced), engineering excellence (quality

improvement) and business value (cost savings).”

“A defect caught at an earlier stage in the PLC is way less expensive than one caught later on.”

http://www.sonarsource.com/customers/customer-stories/

leader in networking technologies. • 73,460 employees • Q2 FY13 revenues of $12.1 billion• uses SonarQube to analyze >9 million

lines of code in 90 applications

WHY?

Prevention is the best medicine

BENEFITS

Quality improvements of code produced by increasing developer knowledge and understanding of code quality issues.

Reducing maintenance cost through early identification of quality issues.

Reducing time that is spent on code reviews

Improving the productivity of software development teams (suppress code duplication and redundancy)

Automatic detection of bugs and provides an opportunity to fix them before rolling software out to production

SONAR DASHBOARD

List of projects/apps

Quality metrics

Developers 7 Deadly

Sin

Bugs and Potential

Bugs

Coding Standards

Breach

Duplications

Lack of Unit Tests

Bad Distribution

of Complexity

Spaghetti Design

Not Enough or Too Many Comments

KEY METRICS

Potential bugs

Potential performance problems

Potential security issues

Duplicates

Сoverage

Time machine

POTENTIAL BUGSReturn statements should not occur in finally blocks

This class overrides "equals()" and should therefore also override "hashCode()”

"equals(Object obj)" should be overridden along with the "compareTo(T obj)" method

Thread.run() and Runnable.run() should not be called directly

INCORRECT EXCEPTION PROCESSINGThrowable and Error classes should not be caught

Generic exceptions Error, RuntimeException, Throwable and Exception should never be thrown

Avoid Print Stack Trace

Avoid Rethrowing Exception

Avoid Catching/throwing NPE

Avoid Instanceof Checks In Catch Clause

INCORRECT STRING PROCESSINGname description

StringInstantiation  Avoid instantiating String objects; this is usually unnecessary.

Inefficient String Buffering Avoid concatenating non literals in a StringBuffer constructor or append()

Use Index Of Char     Use String.indexOf(char) when checking for the index of a single character; it executes faster.

String To String  Avoid calling toString() on String objects; this is unnecessary.

Useless String Value Of No need to call String.valueOf to append to a string; just use the valueOf() argument directly.

 String Literal Equality   Checks that string literals are not used with == or !=.

Unnecessary Case Change  Using equalsIgnoreCase() is faster than using toUpperCase/toLowerCase().equals()

PROCESS

Set up threshold

Daily reports

Sonar plugin for developers to verify

code

Emails alerts

Sprint Reports to track quality

COST

Object Cost

SonarQube Free

Plugins Free

Sonar Installation and Configuration 1 day - DevOps

Compare stats once a sprint 1h

Verify new code by developers Ongoing Activities – part of the development