Sonar

Sonar Radiator plugin to keep an eye on quality all day long !

Olivier Gaudin — Wed, 11 Nov 2009 12:58:05 +0000

After the integration of two Google components (Motion Chart and Timeline), we are releasing the last of a series of three nice and sexy plugins : The Sonar Radiator Plugin, aka big treemap.

The radiator is available in the home page as well as on the project dashboard. It works the same way the standard treemap does : you can choose pretty much any metric to represent the size of rectangles and any qualitative metric for their color. When you click on any project name, it will display the so-selected project. Although looking very similar, the radiator has 3 big advantages over the standard treemap :

It is bigger and therefore much more readable
When you left click in the rest of the rectangle, it drills down
When you right click in the rest of the rectangle, it drills up

I really like this components because it fills immediately two gaps : first you can navigate within projects in a very efficient way, having the big picture immediately on the chosen metrics. Secondly, you can display the radiator on a wall and let your teams compete for the code quality award.

Put Sonar Gadgets on your JIRA Dashboard !

Olivier Gaudin — Thu, 05 Nov 2009 17:30:58 +0000

Ross Row won last week the Atlassian Codegeist Competition in the OpenSocial Gadget Category with his Sonar Gadget. Congratulations to Ross who has done a great job so far working on the Sonar integration with the Atlassian suite.

This integration is well summarized by Jesse Gibbs in his article Put Sonar Gadgets on your JIRA Dashboard ! where he also mentions the two new Bamboo Sonar Plugins.

The Sonar Timeline Plugin, a great addition to TimeMachine service

Simon Brandhof — Wed, 04 Nov 2009 10:45:46 +0000

Straight after the Motion Chart, the Google Visualization Annotated TimeLine component gets integrated to Sonar with the Timeline Plugin.

This is really a great addition to the TimeMachine functionality as this component offers a higher flexibity : you can select up to 3 metrics and then view their evolution throughout pre-defined periods (last 5 days, last month…) or a custom period. The functionality is as usual available for projects, modules and packages.

To add the functionality to your Sonar instance, you can download the plugin and start replaying the past.

The most sexy plugin of the Sonar forge

Simon Brandhof — Wed, 28 Oct 2009 17:12:34 +0000

Last week, the most sexy plugin of the Sonar forge was released : the Motion Chart plugin ! This animated bubble chart as I used to call it can handle up to 4 custom dimensions throughout time : X-axis, Y-axis, color and size of the bubbles.

Once installed, a new link “Motion chart” is available both on the Sonar home page and on each project to respectively play with all projects or all components of a given project. It is really impressive to see bubbles moving along with time and code quality evolution.

I am sure you cannot wait to give a try to this new plugin on your own Sonar instance… or maybe you prefer to watch a quick demo first !

How to measure WTFs in Sonar ?

Olivier Gaudin — Thu, 22 Oct 2009 16:54:25 +0000

The WTF per minute has become a buzz in the past few weeks and almost a kind of reference in the code quality world :-). Just for fun, a new version of the Sonar taglist plugin has been released to be able to count the number of time "// WTF" has been cried and written in the source code. With a small addition to the plugin, it would even be capable of reporting on a density of WTFs by minute, hour, day… but shortest jokes are the best.

Despite all its noisy strengths, the WTF suffers from a major weakness : it is a human based judgment at a certain point in time and space. That is why, this can be complemented with an other plugin to evaluate the technical debt of a project. Between the two plugins is going to be the truth !

Bring a new dimension to Sonar with the Views Plugin

Sonar team — Wed, 14 Oct 2009 13:51:36 +0000

The community has started several months ago to request a plugin to group / aggregate projects in Sonar. This plugin was released a couple of days ago under the name : Sonar Views Plugin. It is a commercial plugin edited by SonarSource that goes beyond the community initial expectations.

The Views Plugin enables to create any kind and any number of aggregation trees. Here are few examples :

Recreate inside Sonar the company internal organization : projects can be grouped by applications, applications by team, teams by department…
Group projects by type : libraries, web applications…
Separate legacy projects from new ones

Each node in the tree is called a view and the leafs are the projects. There is no limit in depth for the trees. The management of the tree is done through a user friendly web administration tool :

Once you have defined and created views, you can start following quality in their Dashboard. It means that you can start setting objectives to group of projects and follow the view with the TimeMachine service. You can follow for instance the technical debt of your complete project portfolio. Here is the Apache Forge Dashboard available on Nemo (the public instance of Sonar) :

From there you are able to define action plans by using the well-known services : Hotspots, Clouds, Violations Drilldown, … The project is then to the view what the file is to the project :

At a glance, you can manage all the violations of your project portfolio. If a specific rule is violated, you immediately know which projects are in trouble :

Want to give it a try ? Visit the plugin page to request an evaluation license key. Have fun !

Sonar 1.11 in screenshots

Simon Brandhof — Tue, 06 Oct 2009 09:17:13 +0000

We’re happy to announce the release of Sonar 1.11. This new version contains more than 60 issues that have been resolved amongst which improvements, bug fixes, technical migrations and also several new features. Here are the most important ones in screenshots :

Components page

This new service provides a new way to explore components of a project, module and package. It brings at project level the functionality available on the home page already.

Commented-out lines of code

Commented-out code is bad ! If you are not convinced, you should read this article by Robert C. Martin explaining why such comments must be deleted. Sonar now provides a unique feature to track down those lines.

Branch coverage

Branch coverage has been added to Sonar and the coverage metric now mixes line coverage and branch coverage. Thanks to Andreas Klug who provided a patch for this functionality. The new metric is available in the dashboard :

and in the resource viewer :

On the invisible side, the purge mechanism has been greatly improved, enabling better support of multi-modules maven projects and better performances globally.

More information are available in the release notes. You can give it a go right now !

A new addition to the Sonar team

Olivier Gaudin — Mon, 05 Oct 2009 08:45:32 +0000

We brought back a little pinguin from Open World Forum last Friday !

Sonar to identify security vulnerabilities

Freddy Mallet — Thu, 24 Sep 2009 13:22:09 +0000

During the last few months, Sonar has definitely become the leading Open Source Platform to manage Java code quality. The objective to democratize access to code quality is becoming concrete.

However when analyzing source code, quality is only one aspect of things. The ultimate platform should be able to handle Quality, Security and Architecture. Sonar 2.0 will take care of Architecture with a DSM and several valuable Object Oriented metrics.

What is the plan to handle Security ? Technically speaking, there is no difference between a quality rule and a security rule. They both consist in writing a piece of code that analyzes an Abstract Syntax Tree (AST) or the bytecode depending on what needs to be done.

Sonar already embarks a bunch of security rules that detect security vulnerabilities. What is really missing today in Sonar is the possibility to group rules by security categories. This will be implemented at some point in time with tags associated to each rule. For now and for people concerned by Security, there are two solutions to detect security breaks. First is to use the Security Rules Plugin that highlights files with such breaks. The second one is to look directly at available security rules :

SQL Injection Vulnerability

Read this very well-written page on the OWASP web site, to quickly understand why you should activate the two following Findbugs rules :

Nonconstant string passed to execute method on an SQL statement
A prepared statement is generated from a nonconstant String

Password Management Vulnerability

Those two other Findbugs rules will create respect for the person who someday invented the word “password”

Hardcoded constant database password
Empty database password

Error Handling and Logging flaws

When there is an airplane crash, the black box is the only way to perfectly understand what happened to be able fix the root cause. A software has its own black box, and the following PMD rules will make it effective :

Preserve Stack Trace.
Avoid Catching Throwable
Exception As Flow Control
Avoid Throwing Null Pointer Exception
Avoid Print Stack Trace
Avoid Using System Println

Insecure direct object reference

Do you feel confident to give the keys of your car to somebody you don’t know ? To avoid this, here are the Findbugs/PMD rules that should get activated :

May expose internal representation by returning reference to mutable object
May expose internal representation by incorporating reference to mutable object
May expose internal static state by storing a mutable object into a static field
Public static method may expose internal representation by returning array

And some more…

Do Not Call System Exit
Servlet reflected cross site scripting vulnerability
…

Those available rules are a good start to identify security vulnerabilities. If you want to increase the set of existing rule to help Sonar grow on the subject, please create Jira tickets on the “Security rule” component to request for new rules.

SonarSource is short listed for Open Innovation Awards

Olivier Gaudin — Fri, 18 Sep 2009 08:35:56 +0000

On 2 October 2009, during the Open World Forum in Paris, twenty companies innovating in the Open Source sector will each have an opportunity to make a 7-minutes presentation to Venture Capitalists and major systems integrators to promote their company and projects.

They will also compete for the “Open Innovation Awards” that will be awarded by an international jury of experts to the most promising businesses innovating in the Open Source sector

The Open Innovation Awards’ Jury yesterday announced the list of the top 20 open source innovative startups that will be invited to present at the Open Innovation Summit on the 2nd of October : SonarSource is one of them !