Jose has posted 9 posts at DZone. View Full User Profile

Quality Assurance With Sonar

  • submit to reddit

It's incredible how unknown a tool like Sonar is yet. I guess Gradle suffers the same destiny. After all, they're both similar in their intent, improve the quality of your software. It seems lots of people know about unit testing (not so many about code coverage), less know about tools like Checkstyle or FindBugs (static analysis of code) and just a minority are aware of other esoteric metrics like cyclomatic complexity. And even the few that use all of them do not extract all the value that a dashboard provides. That's what Sonar handles, it will take your project and stress it showing the results in a visually appealing site. With no extra work from you, the only requirement is to use Ant or, preferably, Maven.

But seeing is believing so I'll try to convince you showing the whole process and what kind of enhancements you'll be getting. As the demo project I've chosen IWebMvc2. I've nearly finished the development by now so it's a perfect timing to improve quality. In addition it's a complex web application made of three different sub-projects so something must arise. IMHO the quality of the code is pretty good, in theory I just want proofs...did I just say humble? ;-).

The first task is downloading the project and installing it. It's trivial believe me (well as long as you know how to unpack an archive...). To run Sonar just go to the bin folder, select your OS and execute the provided script. Trivial again. Sonar show be accessible (although empty) at http://localhost:9000 by now. Go there and login with admin/admin. Select configuration and under Quality Profiles click on Sonar way with Findbugs: set as default.

Next step is to build our project and include the Sonar phase. This is done typing:

mvn clean compile sonar:sonar

Pretty easy, wasn't it? If the project was built successfully the console was updated and shows something like:

A quick glance reveals a row per project analyzed indicating the number of rules violated and the coverage of the unit tests. There's a little bug with the latest JDK and Cobertura that reports 0% coverage always. As a workaround use JDK6_Update13 for example. The build time reflects how long ago was this information retrieved (not how long took the build itself, tricky). One click on the project shows the dashboard (this is a trimmed version):

Here's the bread and butter! All kind of metrics! From the whole project. The graphic displays the number of modules (JARs) and the relative size of each one. It's used to drill down and get module specific statistics. In fact, every link allows to navigate to new pages with deeper details.

Our task is to improve the quality of the project (bit by bit) so we can navigate to the Violations section and get a detailed report of the problems:

 The rules are divided in several areas, some are require while others are optional. Selecting one rule gives the complete list of locations where the code fails to comply. Selecting one of those locations highlights the code:

 In the above example Sonar has detected a private method that is never called. For performance and maintainability it should be removed altogether. Now, this is not true at all because I KNOW this method is called using reflection. So I should just ignore this error (caution! static analysis tools are not perfect!). Otherwise I could simply open an IDE and correct the mistake. Of course Sonar remembers previous scenarios and can track the project life cycle (time machine they call it). Ideally you should be tying Sonar with a Continuous Integration server (out-of-the-box includes a Hudson plug-in). I'm not gonna lie, quality requires effort. Even if you're an outstanding programmer. Sonar will just help (a lot actually) by providing visual and reporting tools but expect a slow (sometime tedious) climb to the top. Fortunately, in the end, it pays dividends. From
Published at DZone with permission of its author, Jose Noheda.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)


Michal Huniewicz replied on Sun, 2009/07/12 - 3:01pm

Sonar is a wonderful tool and after you spend some time altering its behavior to fit your needs - it becomes an important part of your development environment. Cyclomatic complexity measure is often indeed a crucial factor for defining the quality of your methods. Integration with Hudson is pretty much seamless and all in all, there are rather few kinks (including the code coverage one - thank you for providing a solution for this, Jose). I definitely recommend that pair.

Mercer Traieste replied on Sun, 2009/07/12 - 3:21pm

Sonar is an excellent tool. We started using it in our company, and sience then, awareness on quality issues rised considerably.

Artur Biesiadowski replied on Sun, 2009/07/12 - 3:53pm

How unused private method is related with performance?

Jose Noheda replied on Mon, 2009/07/13 - 2:13am in response to: Artur Biesiadowski

A Description for every bug is available at Not that is includes much detail in this case but my guess is having unused private methods makes the class bigger and hence more work for the class loader (and other tools like the compiler)

Jakub Holý replied on Tue, 2009/07/14 - 9:55am


The first task is downloading the project and installing it. It's trivial believe me (well as long as you know how to unpack an archive...). To run Sonar just go to the bin folder,  ...


Could you please be more specific regarding what to download? Neither IWebMvc nor have the mentioned bin/ directory.


David Parks replied on Wed, 2009/08/12 - 11:16pm

Its funny that you mention gradle -- I found this post because its what google comes up with for "sonar gradle".  I assume that Sonar accesses a local Maven repo to know what projects to build stats for?  It can't be used outside of a maven repo but gradle integrates (stupidly easily) with them so there should be no problem...?  Also, does the default suite of quality metrics work with groovy?  I've used some of the tools I see referenced on the Sonar page with groovy with some success but I'd be amazed if they all worked or it knew not to run them on Groovy source.



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.