Static code analysis tools like SonarQube not only focuses on code-specific vulnerabilities but also on code refactoring, memory leaks, and best coding practices. It can directly integrate with automation servers like Jenkins or with GitHub to analyze branches and decorate pull requests within enhanced CI/CD workflow.
In this article, I will implement static testing with SonarQube in one of my old Django project. You can find the link here. It’s a simple REST API-based project, which I assume has lots of vulnerabilities and improper code constructs, which I expect SonarQube to detect and report.
Dynamic testing and Static Testing
SonarQube differs from other popular names out in the market like Selenium and Kasper Js, given that it follows the static testing approach, unlike other mentioned names. Static testing is the method of examining source code before the program executes. It checks and analyzes if the code abides by the preset rules and paradigm. On the other hand, dynamic testing happens during the code execution and has an advantage over static testing in parts where the issues lie outside of the projects, mainly the errors residing on external services.
SonarQube (Static Analysis)
When a developer writes a code, it goes through the code, and based on the set of predefined rules, examines if the software is as per standard and finally, gives comprehensive analysis. Static testing is also known as early testing. All modern IDEs can do static testing, but tools like SonarQube are better suited for in-depth reporting and analysis.
- Download SonarQube from this link
- Open StartSoner.bat located on bin/os/ directory. The server will run at http://localhost:9000/ and enter the following credentials:
3. Download a sonar scanner from this link to scan your projects.
4. If you are using my project from this link, follow Django based project installation steps as follows:
virtualenv envenv/Scripts/activatecd..pip install -r requirements.txtcd srcpython manage.py runserver
5. Add a new system environment variable path. Mine was C:\Users\xps 13\Downloads\sonar-scanner-cli-18.104.22.1681-windows\sonar-scanner-22.214.171.1241-windows\bin
6. Open sonarscanner/conf/sonar-scanner and add the following:
sonar.host.url=http://localhost:9000sonar.projectKey=sonar-scannersonar.sources=C:/Users/xps 13/Desktop/sonarcube practice/django-rest-api/src
(note sonar.sources will be a path to your project folder)
7. Now navigate to the root of the project folder(django-rest-api in my case) and run the following command:
8. If you get any security warnings, follow this blog:
Finally, after running all these steps, you probably will see a screen like follows:
Most of the issues were code smell which is the maintainability-related issue in the code. To be honest, I expected a lot more bugs, lol :D My two-year-old code seems to have a decent benchmark.
The code smell critical report number one — ‘Define a constant instead of duplicating this literal ‘Computer Science & Engineering’ 3 times.’ is a perfect example of how SonarQube not only shows vulnerability in the code but also helps us refactoring our code with better programming constructs. I cannot wait to use this tool with all my current projects and integrate it with Jenkins and GitHub to leverage a better and secure CI/CD workflow.