To give you the complete picture, I have to say that if you wish to go further on Design & Architecture you might want to use tools such as Structure101, SonarJ and Xdepends that are really pretty good. Sonar 2.0 features have been initially inspired by them.

Architecture

When talking about architecture the first priority is to remove cycles between packages by cutting undesired dependencies. That might sound like an evidence but among all well-known java projects continuously analyzed and available in Nemo, very few of them don’t have any cycle. The cycle concept is just a familiar entry point into Sonar which leads to more powerful information : how many dependencies between packages should be cut in order to remove all cycles ? How tangled is the overall architecture ? How many links between files do those dependencies represent ?

From the project dashboard, clicking on any above ‘architecture’ metrics, leads to a new visual tool : The DSM (Dependency Structure Matrix). DSM is a compact way to represent and navigate across dependencies between components. Depending on the navigation level, those components can be Maven modules, packages or files. Wants to know more about the DSM ? Here is the DSM user guide.

Object-Oriented Metrics

All Chidamber & Kemerer metrics are now available in Sonar : DIT, NOC, RFC, CA, CE, LCOM4. The most interesting Object Oriented metric is certainly LCOM4 (Lack of Cohesion of Methods) which can be used to hunt classes undertaking too many responsibilities.

Let’s take a simple example : a class whose LCOM4=3 means that 3 different blocks of methods/fields are fully unrelated and so the class is not cohesive. Of course this is possible to visualize those blocks into the resource viewer :

UI Improvements

Perfection is often a matter of detail, so new icons are now displayed into the Sonar interface to quickly know the type of each component :

Last but not least, all the underlying mechanisms used to extract dependencies graph from Bytecode, compute object-oriented metrics, create and sort the DSM, target dependencies to cut have been fully implemented in Squid by the Sonar team. This will allow to provide new features like dead code detection, calls to deprecated methods, architecture rules engine in future Sonar versions.

To find out more about Sonar 2.0 and the 50 issues that have been fixed, you can read the release note or maybe you prefer to download it to give a ride !

“At JTeam, we continuously strive for good quality code. The reason is very simple: bad quality code slows down the development process. The small investment pays out in even the simplest of projects.”

Sonar: a valuable tool for every Java shop
By Hans Westerbeek, 22 February 2010

“If your organization develops Java applications, chances are that Sonar could be very valuable for you. Sonar helps you calculate your technical debt by analyzing your project’s source code.”

Getting More Agile – 2009 in Review
By Thomas Ferris Nicolaisen, 21 February 2010

“With our mavenization efforts, we were recently able to make use of Sonar (which rocks, btw) instead of the old, more primitive (boring) Ant reports in Hudson.”

A Sonar Cobol Plugin
By SonarSource, 18 February 2010

Coming soon… “SonarSource has developed its own Cobol parser and packaged it in a Sonar Cobol analyzer. It allows to perform objective and automated Cobol code quality and standards reviews against pre-defined rule sets and coding best practices. It also generates standard code metrics like number of lines or density of comments”

Add code quality metrics to your GateIn Dashboard with Sonar
By Jeremi Joslin, 11 February 2010

“Sonar is an open source platform to manage code quality. It enables to collect, analyze and report metrics on source code. At eXo Platform, we use Sonar to manage and monitor the quality of our codebase.”

Sonar Integration for AnthillPro
By Eric Minick, 10 February 2010

“A Sonar plugin for AnthillPro is now available through Urbancode’s Supportal (support portal).”

Sonar SCM Activity Plugin version 0.1
By Evgeny Mandrikov, 27 January 2010

“People, who follow me on Twitter, already know about new plugin for Sonar developed by me. Meet – Sonar SCM Activity Plugin.”

Java Build Server
By Manuel Küblböck, 23 Januray 2010

“In my last Java project, I set up a build server with Continuous Integration (CI) capability. I am a big fan of Test Driven Development (TDD) and I quite enjoyed Hudson telling us right away when someone checked in code that broke the build. It just gives you so much more confidence in your code and keeps it releasable at all times. In addition, we used Sonar to measure the quality of our code.”

• How long does it take to get valuable feedback ?
• How often was the build broken in the given period ?

Once installed, this plugin is automatically launched by Sonar on every project as long as the Maven pom.xml file contains a “ciManagement” node or that CI engine URL is configured in the plugin. The following new widget is then displayed in the Sonar web interface :

• Secure a Sonar instance by forcing login prior to access to any page
• Make a given project non accessible to anonymous
• Allow access to source code (Code Viewer) to a given set of people
• Restrict access to a project to a given group of people
• Define who can administer a project (setting exclusion patterns, tunning plugins configuration for that project, …)
• Define who can administer a Sonar instance

All those use cases can be implemented through the Sonar web interface and will take effect immediately. The way security is handled in Sonar is pretty classic as the security policy is based on the following three concepts : user, group and role (global or by project). Let’s take the example of the “Project roles” page available at project level :

Three roles are available at project level : Administrator, User and Code Viewer. Users and/or a groups of users can be associated to each of those roles to get the required permissions.

User and group can be first created through the “Users” and “Groups” services available in the administration configuration section. Here is the screenshot of the “Groups” service :

That was authorization, let’s now talk about authentication. By default, user authentication is done against the Sonar DB (user table) but an external authentication engine can also used : OpenLDAP, Microsoft Active Directory, Apache DS, Atlassian Crowd … Three identity plugins already exist : two open source LDAP Plugin, Crowd plugin and a commercial one Identity Plugin. They all use the public Sonar authentication extension point.

To conclude, it is possible since Sonar 1.12 to easily implement a robust enterprise security policy. Those new functionality have been done with no impact whatsoever on Sonar users who do not want to activate security and want to keep full transparency.

• Install the gadgets
• Exo and GateIn Sonar instance
• Source code of the Sonar gadgets

• The Open Source product you provide to users must be great: the Open Core should stand on its own as something truly useful without any additional commercial add-ons. The software must perform well in a production environment.
  
  This is so true that many Sonar users don’t even know the existence of SonarSource




• The Open Source product you provide should go through an ungodly amount of testing and QA. Testing and QA on the Open Core are the cornerstone of quality and should not be reserved for commercial versions of your product.
  
  The Sonar core is covered by about 1′300 unit tests and 150 integration tests (most of them are selenium tests) which are executed by two continuous integration server. Of course we run Sonar on Sonar on a daily basis and we do performance profiling before every release. SonarSource’s plugins are extensions of Sonar, not a kind of professional packaging : they fully depends on the quality of the core.




• The Open Source product you provide should be architected such that all commercial features are plug-ins to the Open Core.
  
  The Views, Master project, PL/SQL and Identify plugin are fully based on Sonar extension points and nothing more.




• The Open Source product you sell should have completely open pricing. If someone cannot clearly see what your pricing is and what the difference is between your open and commercial versions, you likely have a predatory and opportunistic pricing model
  
  I believe it is the case.

With the the adoption of LGPL and the respect of those four principles, you can definitely Come in, we’re open !.

• A dynamic development activity on Sonar core with 7 major releases since 1.5.
• The transformation of Sonar from a tool to an extensible platform with more than 20 extension points.
• More than 30 open source plugins have been build to extend Sonar core using those APIs, and more that are not open source.
• the number monthly downloads has been multiplied by 10 during the year from 300 to 3,000.
• Sonar has been given a heart called Squid that makes Sonar much more than an integration tool. Several metrics that do not exist elsewhere are calculated by Squid.
• More than 4′000 emails exchanged on mailing lists and 1,000 Jira issues created.

So after all this, what could be an exciting challenge for 2010 ? We have set ourselves 2 very ambitious objectives for 2010 which should make the Sonar community continue growing :

• Design analysis : we like to say that there are seven technical axes of code quality analysis (we call them the seven sins of the developer). Sonar currently covers sixth of them and the last one is for us the most important one with unit tests : Design & Architecture. Sonar 2.0 planned for February will start covering the 7th axis with O.O. metrics like LCOM4, RFC, DIT … cycles detection and DSM at package and class levels. All those information will be of course provided by Squid. Moreover, an architecture rule engine should quickly appear after Sonar 2.0.
• Multi-languages : last but not least, give a real go at other languages. By the end of the year, we expect that plugins are available to cover properly : Java, PL/SQL, Flex, C/C++, Cobol, PHP and maybe more :-)

Here is a part of the program for 2010. I have now to leave you to start working on this as I think I will not have much spare time this year !

Users, groups and project roles

One of the most voted feature in JIRA is the ability to manage credentials at project-level. Sonar now embarks a complete user management mechanism to secure any Sonar instances by defining who can access and administer each project. User management is both simple and flexible : add new users, group them and associate them project roles : Administrator, User or Source code viewer.

Highlighted code syntax

Because code is not just a bunch of plain black text, it becomes pleasant to read it and it’s now much easier to eradicate commented-out lines of code (see line 97) :

Ignore violations with the new ‘//NOSONAR’ comment

The NOSONAR tag tells Sonar to ignore all violations on a specific line whatever rule engines are being used to scan code. Of course, Sonar is still able to manage widely used //NOPMD and //CHECKSTYLE:OFF … ON. We have simply added a native way to manage false positives. This feature is a real improvement for users that have activated Findbugs rules as there was no clean way to tag a Findbugs as a false positive : there is now ‘//NOSONAR’.

Better source viewer

As surprising as it can be, the full package name was not displayed in previous versions : it is fixed now. Moreover the number of public APIs is added to the header. In Sonar, a public API is either a non empty public constructor or a public method that is not an accessor and does not starts with the ‘@Override’ annotation.



Quickly get the key of the rule that has been violated and click to get the full description :

Highlight ratio of duplicated lines with treemaps

Treemap color is now red when 50% of lines of code are duplicated. It was 100% in previous versions.



You can read the release notes to find out more on the 62 issues that are being fixed in the release… or you might want to give it a go right now !