Integration of Sonarqube (Static Code Analysis tool ) in Android Studio

With such a high development pace, it gets more and more difficult to maintain a healthy codebase with decent test coverage and follow best practices when implementing new features. So, We need some tools to monitor and scan our codebase, Sonarqube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.

Prerequisites

• One must have Android development experience (Android SDK,third party library usage, gradle etc.)

Scope

1. What is SonarQube?
2. Why an automatic code review tool required?
3. Why use SonarQube?
4. Getting Sonar Local Server up and running
5. Integrating SonarQube in Android Application.
6. Publishing Android Application reports on Sonar Server.

1. What is SonarQube?

As per the official documentation, “SonarQube is an automatic code review tool to detect bugs, vulnerabilities and code smell in your code”. It empowers developers to write cleaner and safer code and detects the overall health of the platform.

2. Why is an Automatic Code Review Tool Required?

• Tracks bugs and vulnerabilities.
• Gate-keeper if a new vulnerability is introduced.
• Keeps track of a large number of bugs.

3. Why use SonarQube?

• SonarQube offers code-quality management by suggesting what is wrong and helps you put it right
• It provides a clean dashboard to address bugs, coding rules, test coverage, API documentation, code duplication, complexity, and many more things
• It gives you the snapshot of today’s code quality as well as tells you what went wrong and what’s likely to go wrong in future
• Other code quality tools focus mainly on bugs and complexity but Sonar covers 7 sections of code quality:- Architecture and design, unit tests, duplicated code, potential bugs, complex code, coding standards, and comments

So, what all things we require to view our SonarQube reports:-

a. Sonar Server (for publishing reports)

b. Android Application (for SonarQube integration)

4. Getting Sonar Local Server

a. We need to first install Docker in our local machine first before installing SonarQube. For Docker installation, visit “https://hub.docker.com/_/ubuntu”.

Login/Create Account to download Docker.

b. Once you have installed Docker, its time for SonarQube installation.

c. Open terminal in Ubuntu(Alt + Ctrl + T) and type below command and and press ENTER.

docker pull sonarqube:7.5-community

d. “docker ps -a”, press ENTER (this will give the list of containers running within Docker, there should be none if you have done SonarQube Docker installation for the first time)

e. “docker run -d — name sonarqube -p 9000:9000 sonarqube:7.5-community”, press ENTER.

f. “docker ps -a”, press ENTER (now it should give you one row with SonarQube running).

g. Now, the SonarQube should be up and running. To test, visit “http://localhost:9000/” .

if trouble occurs while running http://localhost:9000/ . In Terminal just enter ‘docker container prune’ or ‘docker system prune’ and Repeat from step — e.

h. Login with credentials Username — “admin” and Password — “admin”.

i. Generate a token for your Android Application by providing a name for your token.

j. Save the token. You will need it later in configuring Android Application for running SonarQube.

5. Integrating SonarQube in Android Application

a. In App level build.gradle file, add Sonar plugin at top:-

apply plugin: "org.sonarqube"

b. In Project level build.gradle file, Add classpath dependencies within buildscript (buildsccript -> dependencies)

classpath "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.7.1"

c. After Step a and b, hit “Sync project with gradle files”

d. SonarQube is added in Android Application, its time to do the basic configuration for SonarQube. Replace PROJECT-NAME and PROJECT-KEY with the name of your Android Application

configurations {
    implementation.exclude group: 'org.jetbrains', module: 'annotations'
    sonarqube {
        androidVariant 'build variant'
        properties {
            property "sonar.projectName", "Your project name"
            property "sonar.projectKey",  "project id from sonar server"
            property "sonar.tests", ["src/androidTest/java"]
            property "sonar.test.inclusions", "**/*Test*/**"
            property "sonar.sourceEncoding", "UTF-8"
            property "sonar.sources", "src/main/java"
            property "sonar.exclusions", '**/*Test*/**,' +
                    '*.json,' +
                    '**/*test*/**,' +
                    '**/.gradle/**,' +
                    '**/R.class'
        }
    }
}

P.S.- if any file within the module needs to be excluded, you should mention it in “sonar.exclusions”.

https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-gradle/#header-2

e. Hit “Sync project with gradle files”

That’s it. You have integrated SonarQube in the Android App.

6. Generating and Publishing Android Application Report on Sonar Server

a. To generate a report, we need to run a Gradle command.

./gradlew sonarqube -Dsonar.host.url=http://localhost:9000/ -Dsonar.login=$REPLACE_WITH_GENERATED_TOKEN

or

./gradlew sonarqube -Dsonar.host.url=http://localhost:9000/ -Dsonar.login=$admin -Dsonar.password=$Girnar@123

b. You can see the execution of the command in Terminal.

c. Visit “http://localhost:9000/projects” after the build is successful.

REFERENCES

• https://en.wikipedia.org/wiki/Automated_code_review
• https://docs.sonarqube.org/latest/
• https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-gradle/
• https://vizteck.com/blog/benefits-using-sonarqube/
• https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-gradle/