Code Quality Analysis

PASS uses the code quality and security tool SonarQube Cloud to ensure a high-quality code base. SonarSource graciously allows open source projects to use a free tier of SonarQube Cloud, which integrates directly with our GitHub repositories.

Summary

SonarQube performs static analysis on the PASS codebase to detect bugs, vulnerabilities, code smells, and security hotspots. This integration provides automated code quality checks on pull requests, helping to promote and maintain clean code. Analysis is triggered automatically on pull requests and merges to the main branch via GitHub Actions. In addition, a plugin can be added to various IDEs, catching code quality issues before submitting a pull request.

List of Repositories on SonarQube

• PASS Main

• PASS Core

• PASS Support

• PASS UI

Knowledge Needed / Skills Inventory

• Understanding code quality concepts

• Git/GitHub

Technologies Utilized

• SonarQube Cloud: The cloud-based platform hosting the analysis engine and results dashboard.

• GitHub Actions: publishes results to SonarQube Cloud via workflows.

• SonarScanner for Maven

• SonarScanner for Maven GitHub

Technical Deep Dive

SonarQube Configuration

The full documentation for getting started with SonarQube Cloud is available on their documentation site. On the pass project it is integrated into our CI/CD pipeline, providing status checks on our pull requests.

Reading the Reports

Access the SonarQube reports using the links in the Summary section. Detailed guidance on analyzing reports is available on theSonarQube Cloud Documentation site.

Key areas to examine include:

• Project Overview (Main Dashboard):

  • Quality Gate status (Passed/Failed) – this is the primary indicator of code health.

  • The main Ratings (A-E) for Reliability, Security, Maintainability, and the Coverage percentage for a quick code coverage assessment.

• Pull Request Analysis (Viewed in GitHub):

  • When analysis runs on a pull request, SonarCloud adds a status check to the PR in GitHub.

• Issues Tab (in SonarCloud Project):

  • Provides a detailed, filterable list of all identified issues.

  • Filter by type (Bug, Vulnerability, Smell, Hotspot), severity (Blocker, Critical, Major, Minor, Info), status (Open, Confirmed, False Positive, Won't Fix), assignment, creation date, etc.

• Measures Tab (in SonarCloud Project):

  • Explore metrics in more detail. View graphs showing trends over time for size, complexity, coverage, technical debt, and issue counts.

  • Useful for understanding the overall health trends of the codebase.

• Code Tab (in SonarCloud Project):

  • Browse the source code directly within SonarCloud.

  • Issues are highlighted inline, making it easy to see problems in context.

Integration with JaCoCo

SonarQube does not provide code coverage out-of-the-box, but it does integrate with coverage tools. In a simple project, the setup is trivial, but with the PASS project there are a few extra configuration steps for proper integration within our CI/CD pipeline. These extra steps are detailed on the JaCoCo page of the code quality analysis.

Known Limitations using Free Tier Subscription

• Can only analyze the main branch and pull requests (only if main is the target branch) of a repository.

• Can only use the default Sonar Way quality gate for code quality analysis

• Maximum number of organization members is 5.

The full set of limitations for SonarQube Cloud can be found on their subscription comparison table.

Related Information

• SonarQube Cloud Homepage

• SonarQube Cloud Documentation

• SonarSource Project for Java

• SonarSource Scanning Examples