• SonarQube
  • sonarqube.it.helsinki
    • Usage Principles
    • Creating a New Project
    • Project-Specific Analysis Rules
    • Quality Gates
    • Quality Profiles
    • Settings modification
    • Guidelines
  • SonarLint

SonarQube

SonarQube is a tool for static code analysis that aims to detect potential issues and guide development towards the Clean Code principles defined by Sonar.

• Supports multiple languages
• Aims to identify various rule-based issues in the code, including:
  • Bugs.
  • Maintainability-related issues.
  • Security vulnerabilities or problematic areas.
• Provides a clear report of findings and allows for handling of observations within the service.
• Also evaluates test coverage, duplicates, and gives a grade for different aspects based on the goals set for the code in the project (Quality Gate).

sonarqube.it.helsinki

The IT center maintains a SonarQube environment based on the open-source community version here.

Since it is a free community version, it does not support separate analysis of different code branches.

• This may cause some issues in defining and analyzing “new code” if PRs from different users are submitted at the same time.
• Consider appropriate practices for your project and look into using SonarLint (mentioned at the end of the page), which allows you to run analysis directly in your own IDE.

Usage Principles

• The service is provided as is, largely with SonarQube’s default settings and with relatively low priority.
  • The service is intended to be available and updated to the latest version of SonarQube.
• Any logged-in user (HY SSO) can create new projects.
  • Projects must be related to the University of Helsinki.
  • The IT center reserves the right to remove projects that have been inactive for the past 12 months.
• Project permissions can be managed based on IAM groups.
  • Groups must first be created in SonarQube, after which membership information is updated during login.
  • Groups can also be granted the right to set team-specific Quality Profile/Quality Gate settings.
    • These are public and should be named in the format “--<name, e.g., project>", such as "Tike-Ohtu-Ryhti".
    • Changes to the default settings (Sonar way) should not be made.
  • The project founder is responsible for the project’s permissions.
  • For group creation or permission settings, contact tike-ohjelmistotuotanto@helsinki.fi

Creating a New Project

1. Log in to the service
2. Select Projects → Create Project → Manually and enter the requested information.
3. Choose how new code is defined (descriptions of different options can be found via the link on the page)
   • Note: The community version in use does not support branch-level analysis.
4. Projects are created as public by default, so all logged-in users can see the code and the observations made. Specify permissions as needed.
   • Select Project Settings → Permissions.
   • From the top, choose Public or Private.
   • The project founder automatically receives all rights to the project.
   • You can set permissions either for a user group (IAM group, see creation notice in usage principles) or for individual users.
5. Overview tab provides instructions on how to send code for analysis.
   • Options include using the SonarScanner application from the command line or integrating analysis directly as part of a GitLab CI or GitHub Actions pipeline.

Project-Specific Analysis Rules

SonarQube reporting is based on Quality Gates and Quality Profiles settings.

Quality Gates

Quality Gates define the conditions under which new code passes inspection. This can be assessed by parameters such as (default in parentheses):

• Number of bugs (none)
• Number of vulnerabilities (none)
• Number of security observations to review (all addressed)
• Maintainability (technical debt ratio below 5%)
• Test coverage (80%)
• Duplicate lines (below 3%)

Default settings are the result of SonarQube’s development work. It’s advisable to read about Clean as You Code principles before modifying.

Quality Profiles

Quality Profiles define language-specific inspection rules and the severity of findings raised.

Settings modification

Custom quality gates and profiles can be set for a project.

All quality gates and profiles are public, and their creation requires separate permissions. See the Usage Principles section for instructions on how to obtain these permissions.

• This ensures that those with editing rights have read these guidelines and do not modify rules created by others.

Individuals granted access can create new rules from the Quality Profiles/Quality Gates menu at the top. It is advisable to copy an old rule as a base for the new one.

Name your own rules in the format “--<name, e.g., project>", such as "Tike-Ohtu-Ryhti". __Rules named otherwise will be removed.__

Change the desired rule for the project at Project Settings → Quality Profiles/Quality Gates.

Guidelines

SonarQube documentation can be found here.

SonarLint

SonarLint is an analyzer that integrates directly into development software, evaluating the same aspects as SonarQube and can be directly linked to your SonarQube project.

• Free add-on, supporting multiple IDEs (VS Studio/Code, Eclipse, JetBrains products such as IntelliJ IDEA, and PyCharm)
• Check support for the IDE you are using and see installation instructions here
• You can link SonarLint directly to your SonarQube project, where it will use the analysis settings defined in the project.