Assessing Code Quality with Sonar
By Mike McGarr, 1 May 2012
I recently joined a development team where I was asked to help improve the team’s code quality and engineering practices. Soon after joining the team, I noticed numerous code quality issues that needed to be addressed. In order to justify the effort to improve code quality to non-technical decision makers, I needed a quantitative method for measuring the quality of the source code and possibly the technical debt. I had heard a lot about a tool called Sonar, so I decided to give a try…

Java quality management with Sonar
By Tobias Hofmann, 16 April 2012
Quality of software projects is a huge topic and most of the time is focused around management of the project: agile, change management, etc. An area of equal importance is code quality. For most programming languages a QM product is available. SAP with ABAP comes with code quality tools, and because Java has an enormous eco system, Java also does have a wide range of code quality tools available…

Integrating Sonar with Eclipse
By Tobias Hofmann, 20 April 2012
Sonar comes with a killer feature: Eclipse integration. This does not only mean that there is an Eclipse perspective available, but Sonar findings can be used with Mylyn…

Sonar Upgrade
By Jean-Pierre Fayolle, 27 April 2012
It’s been a while since we talked about Sonar. I was a bit busy recently to discover new territories so I am late in the update of my Sonar environment. Furthermore, there is a new release 3.0 with a bunch of new features. So without further ado, the time has come for a Sonar upgrade…

Part 3: Play Application – Code analysis with Sonar
By Ionut David, 5 April 2012
The Play Framework is new around the block so the written is “not so pure OO code”(lots of static methods or POJOs with public fields) so the default sonar rules are violated. Because of this you will need to customize the sonar rules. I have checked the web for sonar play plugin but didn’t found anything so I have used the sonar-ant-task v.1.3. Before going ahead check if you have the !Play framework installed. If not read CI Part 1 to see how to install it. Also you will need Ant installed on your machine

The team has been working for the last 2 years on Sonar 2.x versions, adding support for Continuous Inspection to manage Technical Debt. With Sonar 2.14, we felt that we had reach functional maturity for this support and that adding stability would make it a great candidate for a major release: Sonar 3.0.

Along with the new version, SonarSource is also launching a new commercial plugin, the Developer Cockpit, which enables each developer to see his own contribution, and a new web site.

But let’s come back to the specifics of Sonar 3.0: this new version includes 40+ improvements and fixes 40 bugs, that are described below in screenshots:

Enhanced Settings

This was a highly demanded improvement to provide support for encryption of the database password :

Documentation is available here.

And we also added the masking functionality for passwords in the UI:

along with enhanced UI for support of types of parameters

and added information for licenses

New TimeMachine Dashboard

TimeMachine is now fully widgetized and provided as a default dashboard:

Enhanced Management of Permissions

The service has been improved by adding a search engine and improving the UI:

Define Alert Thresholds on Boolean Metrics

Support for alerts on boolean metrics has been added:

New Metric: Number of Projects

A new metric has been added that provides the number of projects. This is very useful when you look at an aggregation of projects (Views plugin) or at a developer’s dashboard (new Developer Cockpit)

Other changes that are more difficult to show in screenshots: Hide Empty Source Viewers and JaCoCo Exclusions for Java Projects.

Time now to let you give a try to this version 3.0. Release notes are available in the download page. Please do not forget to read the installation or upgrade guides.

Code Quality Metrics with Sonar, Part I
By Akrem Saed, 5 March 2012
was fortunate to be able to attend the 2011 edition of No Fluff Just Stuff . One of my favorite presentations was by Matthew McCullough on Sonar . Hence, when the issue of code metrics was raised at a client, Sonar seemed like the right tool to use. Our client wanted to explore ways to measure and enforce software and code quality metrics. Their goals were to have quantitative measurements of their code quality and analyze those metrics to come up with a set of benchmark measurements. They wanted to utilize Sonar to discourage bad practices.

Pros and Cons of the LCOM4 metric in Sonar
By Andreas Ebbert-Karroum, 28 March 2012
In our projects, we use sonar to detect quality flaws in our sources as early as possible. An important metric is LCOM4: Lack of Cohesion of Methods IV. It measures how related the fields and methods in a class are. If everything is related within a class, that’s the best case. If LCOM4 is greater than 1, the class is suspicious to violate the Single Responsibility Principle. The class might be responsible for more than one thing, and is a candidate to be split into two ore more classes in a refactoring. At least in Theory…

The Incredibles: Some of my favorite Java tools.
By Parksy’s Recreation, 5 March 2012
I love programming. It gives me a sense of accomplishment when I solve a particularly difficult problem. I occasionally get so wrapped up in what I’m doing I lose track of time and spend a few extra hours at work. Obviously there are a lot of other programmers out there that feel the same way. An old friend of mine coined it something like this: “Managers don’t get it, we love coding so much that we’ll sit and squirm in our chairs until we have to go to the bathroom.”

When creating the ultimate developer image, which Java tools get included?
By Cameron McKenzie, 7 March 2012
About once a year, I recreate a computer image that I will inevitably reinstall time and time again, depending upon whether I’m starting a new project, playing around with a new technology, or just trying to bring my environment back to something that is clean and fresh. Every time I do this, I sit there and think about the key pieces of software that I need…

The Tools You Need To Build Enterprise Software – All You Need is Open Source
By Partha Bhattacharjee, 28 February 2012
Let me share a secret with you. There is only a handful software tools, mostly free, that are sufficient enough for managing design and development activities for most of your java based projects. In my career spanning across the globe for more than a decade now, I have seen so many combinations of (mostly non required, pricey, and inept) supporting software, that I am compelled to write down a list of what I consider are must haves (not necessarily free, but worth the price if they are commercial).

Sonar Code Quality tool – Maven integration
By Suyambu, 2 March 2012
In this blog, i am presenting you the integration of Sonar code quality tool with Maven. Sonar is a powerful code quality tool Which leads the control of quality of code in different phases of the project life cycle. Sonar has got a very efficient way of navigating, a balance between high-level view, dashboard, TimeMachine and defect hunting tools…

Common Sense and Code Quality, Part 1
By Partha Bhattacharjee, 9 March 2012
If you are involved in a software project (as an individual coder, technical team lead, architect or project manager) chances are that code quality might not be the first thing on your mind. However, the truth is, it needs to be on everyone’s radar. It is one of those things that needs well thought out strategy and continued focus throughout the project’s life-cycle. Otherwise it simply spirals out of control and comes back to bite when the project can ill afford a quality issue.

Dangerous can be dating in java , joda and sonar to the rescue!
By Mestachs, 17 March 2012
How many bugs in 5 lines of code ?
Date date = new Date(2007, 12, 13, 16, 40);
TimeZone zone = TimeZone.getInstance("Europe/Bruxelles");
Calendar cal = new GregorianCalendar(date, zone);
DateFormat fm = new SimpleDateFormat("HH:mm Z");
String str = fm.format(cal);
Just 6 bugs !

In 2011, a lot of efforts were invested for supporting Continuous Inspection. This year, we will continue to increase the value of the platform by bringing new and unique functionality, enforcing integration to development environment, consolidating support of existing languages and adding new ones.

Complete support of Continuous Inspection

The plan for this year is to complete what was started on Continuous Inspection last year and add the ability to:

• customize the workflow for reviews
• create a review at any place in the code
• change severity of a violation
• group reviews into an action plan
• track project activity through widgets
• get notified in case of new violations on a project
• improve accuracy for new violation detection mechanism

Most of this was completed already as it was part of Sonar 2.13 and 2.14

Developer Cockpit

Since developers have now the ability to understand and follow continuously the quality of their application, this is now time to provide them with a service that shows their own contribution to projects: the developer cockpit. The idea is that the developer will have access to a dashboard similar to the current one that will show only his data.

Global / Governance dashboards

The platform already allows to customize project dashboards but there is currently no way to create global dashboards to get for example in the same page :

• the list of projects with a technical debt that increased during the past 30 days
• my most valuable measures on my favorite projects
• the reviews that were created last across all projects
• the open reviews assigned to me
• the last quality default I introduced
• …

Code analysis technology

SonarSource is going to open source its source code analysis technology “SSLR” to make it available for all Sonar plugins. The objective is to make all languages plugins, whether open source or close source, better. SSLR will provide all standard and complex stacks to analyse code : lexer, preprocessor, parser, AST generation, symbols table, XPath requests on AST, control flow… The first language we are looking at improving then is going to be Javascript.

Code Churn metrics

When doing refactoring and fixing quality defects, it can be very valuable to know what has been the activity during the past months on the source files we’re working on. Indeed the ROI of the same kind of refactoring can be far more important on files which are often updated than on files that haven’t changed during the past two years. That’s another input to determine the priority of remediation activities.

Language coverage

On the language side, this year was prolific already with the contribution from the community of a python and a delphi plugin. But this is not it ! Two c++ plugins are under construction, one from the community and one from SonarSource. This is all good news for the ecosystem.

Additional effort is going to be made on the improvement of existing languages:

• Release of a version 1.0 of Flex plugin where any remaining dependency on Maven will be removed
• Ability to not use anymore Toad with the PL/SQL plugin (2 releases of te plugin already this year)
• increase drastically the number of rules in C (+ 30 already)
• release of a version 2.0 of the SAP ABAP plugin

Various

Here is a list of various improvements and functionality that will enhance the platform:

• Detection of cross-project duplications for all languages
• Support for authorization in the LDAP plugin
• Differential analysis in Eclipse
• Encryption in analysers of DB credentials
• This might be the year for Idea plugin

That is it, we are now waiting for you on the user mailing list to discuss all this and define the exact use cases that should be covered!

Here are screenshots of what has changed in the user interface:

Cross-project copy paste detection for all languages

What was already there for Java language since Sonar 2.11 is now available for all languages, the ability to detect cross project duplications:

Dashboard for reviews

The 2.14 distribution comes with a default dashboard for reviews that can of course be customized. This provide a great insight of where you stand with reviews and violations :

Email notification on new violations

This is now possible on a project to subscribe and receive an email when a new violation is added :

Notes on rules

Two distincts functionality have actually been added :
First the ability to extend the description of a rule to give more details for example. This is going to follow the rule in every profile and will also be available when clicking on a violation:

But we have also added the ability to comment a rule in the context of a specific quality profile, to comment for example why it has been assigned a high priority or a special threshold :

Enhanced violations widget

When displaying a dashboard in a differential mode, what was displayed prior to Sonar 2.14 was the net number of violations. It missed an important piece: how many violations were added and how many violations were fixed during the period ? This information is now available:

Enhanced file header

On top of seing in which module a file belongs to, you can also now quickly add/remove a file from favourites :

Enhanced treemaps

We have now replicated the navigation mechanism of the radiators plugin within the treemap, enabling smooth navigation from highest level to source file:

Enhanced login

Context of navigation is now kept when logging in : the user is redirected to the page he came from. This makes sharing of permalinks easier.

Time now to let you give a try to this version 2.14. Release notes are available in the download page. Please do not forget to read the installation or upgrade guides.

Technical Debt – How much is it Really Costing you?
By Jim BIrd, 13 February 2012
The idea behind the technical debt metaphor is that there is a cost to taking short cuts (intentional technical debt) or making mistakes (unintentional technical debt) and that the cost of not dealing with these short cuts and mistakes will increase over time. The problem with this metaphor is that with financial debt, we know how much it would cost to pay off a debt off today and we can calculate how much interest we will have to pay in the future…

Separating Integration and Unit Tests with Maven, Sonar, Failsafe, and JaCoCo
By Jakub Holy, 8 February 2012
Goal: Execute the slow integration tests separately from unit tests and show as much information about them as possible in Sonar. The first part – executing IT and UT separately – is achieved by using the maven-failsafe-plugin and by naming the integration tests *IT (so that the unit test running surefire-maven-plugin will ignore them while failsafe will execute them in the integration-test phase and collect results in the verify phase).

Wish list of bugs to make the Releng and QA world better
By Mickael Istria, 20 February 2012
That’s now a few weeks since I joined the JBoss Tools and JBoss Developer Studio team and started working on build. JBoss Tools is a HUGE amount of code, with about 35 components (or modules in Maven terminology) that are aggregated in a way that can be compared to the Eclipse release train, and that all use a “Common Build Infrastructure” based on Maven/Tycho to perform build and Jenkins to trigger it.

Centralized Management of Code Quality
By Ian Skerrett, 23 February 2012
Our vision for Agile ALM Connect is to bring together the leaders of different tools that are being used across the application lifecycle. Therefore, I was very happy that Olivier Gaudin, co-founder of the Sonar open source project, agreed to speak at Agile ALM Connect about how continuous inspection of code is an important aspect of continuous delivery.

SonarSource: Visualizing Technical Debt
By Tom Van Doorslaer, 24 February 2012
Every righteous developer pays attention to the quality of his/her code. Still this is many cases a very personal process and not every developer involved on a project will measure by the same quality standards. Some don’t even bother about the quality at all. This means that sub-par code may end up in production and as a result, drag the overal quality of work down. It’s nearly impossible to avoid this, unless by hand checking every single transport and not approving anything until quality is up to the level. So the need for a central code aggregating and validating system grows. Something like, SonarSource.

Sonar’s Eclipse Plugin
By Tom Wessels, 29 February 2012
Sonar is an amazing tool that you should check out if you haven’t already. Start by looking at Sonar’s analysis of its own code. I think most Sonar users have it running as part of a regular build process, such as a nightly build, and review the results via the web application. But sometimes you want faster feedback without the context-switching required when flipping between a web browser and your code. In these cases, Sonar’s Eclipse plugin can be handy.

Code Review and Static Analysis
By Will West, 16 February 2012
What’s the difference between static analysis and code review? Static analysis can tell you if you are violating best practices or have common errors in your code. Code review can tell you that your code conforms to customer requirements and is actually correct. At SmartBear, we espouse that to ensure the most software quality with the least time investment, development teams can benefit from both techniques. Our view is that code review complements static analysis, because when conducted together, they provide development teams with a complete picture of their code base.

Putting Your Technical Debt Under Control with Sonar
By Jack Frosch, 1 Feb 2012
Presentation: Companies fail all the time because they accumulate more debt than they can ever repay. Likewise, software projects fail all the time when their technical debt gets out of control.

Sonar open source quality management tool
By Tejas Bavishi, 3 February 2012
Sonar is a vast open source tool, so not possible to summarize everything. It is a platform to manage code quality and analyse static code. Features: …

But why does copy paste matters from a code quality point of view? How can you benefit from Sonar to improve this? Let’s try to figure this out.

What is duplicated code?

Let’s try to answer what sounds like a pretty simple question: what does “duplicated code” mean? Let’s consider following four code fragments. They all will print 34, but are they duplicated?

int[] a = new int[10];
a[9] = 0;
a[8] = 1;
for (int i = 7; i >= 0; i--) {
a[i] = a[i+2] + a[i+1];
}
System.out.println(a[0]);


int f(int i) {
if (i == 0 || i == 1) return i;
return f(i - 2) + f(i - 1);
}
System.out.println(f(9));


int[] a = {34, 21, 13, 8, 5, 3, 2, 1, 1, 0};
System.out.println(a[0]);


int[] b = {0, 1, 1, 2, 3, 5, 8, 13, 21, 34};
System.out.println(b[9]);


Well, this is not entirely a fair question, because there is no agreement in the research community on the exact notion of duplication. Ira Baxter’s definition (2002) of clones expresses this vagueness:

Clones are segments of code that are similar according to some definition of similarity.

We can rephrase this more formally:

• Code fragment (code region / portion / segment) is any sequence of code. It can be of any granularity, e.g., function definition, begin-end block, sequence of statements or sequence of tokens.
• A code fragment CF2 is a duplication of another code fragment CF1 if they are similar by some given definition of similarity, that is, f(CF1) = f(CF2) where f is the similarity function.
• Two fragments that are similar to each other form a duplication pair (CF1, CF2) and when many fragments are similar, they form a duplication group.
• We prefer term “duplicate” (“duplication”) over “clone”, because at least it doesn’t clash with a name of clone method in Java.

According to this definition, we still can have different notions of duplications depending on definition of similarity function. Moreover – human judgment of duplications is an issue and varies among experts. In one of experiments, for more than 60% of automatically detected duplications, three experts disagreed whether the fragments are really duplication or not. Even in SonarSource from time to time we have disputes about some code fragments. Let’s make our life a bit simpler by using the following less formal definitions of a similarity function (in literature those definitions typically called types of duplications):

1. Identical code fragments except for variations in whitespace (may be also variations in layout) and comments.
2. Structurally / syntactically identical fragments except for variations in identifiers, literals, types, layout and comments. The reserved words and the sentence structures are essentially the same.
3. As previous, but with further modifications – statements can be changed, added and / or deleted in addition to variations in identifiers, literals, types, layout and comments.
4. Code fragments that perform the same computation but implemented through different syntactic variants.

You can try to use those definitions for given fragments by yourself to see difference ;)

How is such code typically created?

Here are some examples of why duplication occurs:

• Reusing existing code by copying and pasting (with or without minor modifications) is the simplest form of reuse mechanism in the development process, which results in duplicated code.
• Code may be borrowed from another system, which may not be modified. In such situations, the only way of reusing the existing code is to copy and paste with required changes.
• Generating code with a tool using generative programming may produce huge duplications because these tools often use the same template to generate the same or similar logic.
• Sometimes programming languages do not have sufficient abstraction mechanisms, e.g., inheritance, generic types or parameter passing, thus developers forced to repeatedly implement these as idioms, which leads to small and frequent duplications.
• Duplications may be introduced by accidents: side effect of developers memories; coincidentally implementing the same logic by different developers.
• I really want to believe that this is not about readers of this blog, however sometimes productivity of a developer is measured by the number of lines produced per day. In such circumstances, developers focused on reuse of the same code again and again by copying and pasting, instead of following a proper development strategy.

Why you should pay attention on such code fragments?

• Propagation of bugs: if a code fragment contains a bug and this fragment is copied, then the bug will exist in all pasted fragments. More generally, duplicating code will also duplicate the associated technical debt.
• Increased maintenance cost: any maintenance required on a copied code fragments will certainly need to be applied on the pasted ones, i.e. duplication multiplies the work to be done.
• Increased time to understand and thus to improve/modify existing system if it contains a lot of duplications, because differences must be studied by developers before modifications.
• As an indicator of a bad design, lack of good inheritance structure or abstraction.
• As an indicator about copyright infringement.
• Last, but not least – you can’t manage what you don’t measure.

In summary, this practice is evil !

What can Sonar offer to you?

Prior to version 2.11, Sonar was relying on PMD-CPD to detect duplicated code. PMD-CPD is a good tool with a great history which uses Karp-Rabin algorithm for list of tokens and is able to detect duplications of type 2 and partially type 3. But it also has some drawbacks:

• It requires a lot of resources, especially on the memory side and thus is not hardly scalable on a large code base with millions of lines of code.
• As a consequence of the previous point, the copy-paste detection is limited to boundaries of a single module / project.
• Impossible to tune underlying algorithm to prevent false-positives and to increase precision.
• No easy way to cover new languages without having a full lexer.
• We observed that results may slightly vary depending on operating system where analysis was done.

Because of those drawbacks, we decided to implement our own library sonar-cpd to detect duplicated code. The first brick was created during Google Summer of Code 2011. And we should say a big thank you to the participants for their ideas, suggestions and efforts to help us. This first baby step already gave us a good feedback with Sonar 2.11:

We noted comparable performances:

We noted also lower memory peak :

With sonar-cpd, results are more accurate, controlled and predictable. The detection is based on “statements” and therefore we are able to detect duplications of type 2 and partially of type 3 (maybe one day we will go further) and we can reduce amount of false-positives (like repeated blocks of import statements for example).

And last but not least : because of the significant improvement in terms of performances, we are now providing the ability to detect cross-project duplications. This feature is for now only available for Java but this limitation will disappear in Sonar 2.14.

In summary many more opportunities for abstracting and mutualizing code, how cool is this!

Let’s start with a short version of this retrospective. Last year was made of:

• 8 releases of Sonar
• 110+ releases in the ecosystem
• 55,000 downloads of Sonar
• 10,000+ messages on mailing lists

So I suppose we can call this a pretty active year for the community. Now, the longer version:

The Plan

One year ago, we had the following ambitions :

Track changes : The next step is to provide the ability to report on code coverage of new source code. This is to ensure that whatever legacy code is there, teams have the ability to monitor the coverage by unit tests on added code if they wish.

Since Sonar 2.7 and with help of the SCM Activity plugin, this magic feature is available.

Code Review : This is really the next strategic move for the Sonar platform : add a manual dimension to the automated one to provide a complete code review tool.

This was a major change to accomodate into the platform and we therefore decided to adopt a baby step approach. The full functionality was delivered over 5 releases, from 2.8 to 2.12. Here is what the platform now covers:

• Review a violation
• Comment, assign, plan a review
• Flag false-positive violations through the UI
• Create manual violations through the UI
• Change the severity of a violation through the UI

Next step will be to provide the ability to customize the review workflow and its related permissions.

Language consolidation : Provide a Squid-like engine to the C# plugin to make it more robust

It took us 6 month with the great help of Alexandre Victoor to rewrite the C# plugin that embeds its own C# parser and natively supports visual studio projects.

Language consolidation : Improve the C parser to gain robustness, support non ANSI-85 extensions and increase significantly the number of rules available

We haven’t worked as much as we wanted on this C plugin and so the number of rules remains limited. That’s why we’ve already started working to implement the MISRA-C standard.

Language consolidation : Improve the PL/SQL plugin to provide currently missing metrics

A PL/SQL parser has been written to provide all those metrics and to start implementing some new rules outside the Toad CodeXpert tool.

Sonar Eclipse : Now that we have a stable version 1.0 of the plugin, we can start building on it. The objective for this year is to provide capability for running local analysis inside Eclipse

This local mode is now available but in fact the greatest new feature of Sonar Eclipse is certainly the integration of Mylyn to manage reviews directly from the IDE.

Support New Bootstrappers : We have started last year some background work to decouple Sonar from Maven. This work will enable us to support 2 new mechanisms for bootstrapping analysis in Sonar 2.6 : an ANT task and a Java runner. Next step is to also provide Gradle bootstrapper.

DONE, DONE, DONE, Sonar is now fully decoupled from Maven but if you want to use the power of Maven along with Sonar, it is of course still possible.

JaCoCo Integration : We intend to make 2 major integrations of JaCoCo into Sonar this year. The first one is to integrate it into Sonar core. The second one is to provide ANT integration of JaCoCo and therefore provide a simple way of gathering code coverage when you execute unit tests from ANT.

DONE & DONE.

Beyond the Plan

Obviously, we did not plan for all upcoming innovations for the year. Here are three major features of Sonar that weren’t planned and that have been implemented:

• Sonar CPD : this new technology introduced in Sonar 2.10 will fully replace PMD CPD in Sonar 2.14 and allows to track cross-projects duplications
• i18n : Since Sonar 2.10 the Sonar UI can be in spanish, french, greek…
• Email notifications : Since Sonar 2.10 a user can subscribe to some events to be notified by email. For instance when a review is assigned to him.

And this is also true in the ecosystem, here are two examples:

• a great effort made on the PHP plugin to resurrect it
• development of an extension for SAP ABAP

So after all this, what could be an exciting challenge for 2012 ? This is going to be the subject of my next post !

Sonar and Gradle Multi-Module Projects
By Gunnar Hillert, 13 January 2012
I love Sonar. It is a wonderful way to collect some metrics for your Java projects – hassle-free and wrapped in a sweet-looking UI. For Maven-based projects Sonar literally works out of the box. Just start up your Sonar instance (assuming you are using the default settings running on localhost) and then you simply fire it off using:

Measuring Code
By David Green, 2 January 2012
How good is your code? If you’re like the other 80% of above average developers, then I bet your code is pretty awesome. But are you sure? How can you tell? Or perhaps you’re working on a legacy code base – just how bad is the code? And is it getting better? Code metrics provide a way of measuring your code – some people love ‘em, but some hate ‘em.

Making a Business Case For Using Codehaus Sonar
By Chris Khoo, 6 January 2012
Augmenting the development process is often a hard sell – processes don’t contribute directly to company profits and there are financial and time costs (for integration and maintenance) to consider. Personally, I’m a firm believer in adopting processes on an as-needed basis rather than trying to build the ultimate workflow/process all at once.

Couverture des tests d’intégration avec JaCoCo, Maven et Sonar
By Jean-Christophe, 23 January 2012
Dans nos projets on rencontre souvent ce cas de figure : certaines portions de code se prêtent mal au test unitaire. Ce sont les interfaces graphiques, le code qui manipule des fichiers, les connexions réseaux… Cela peut poser problème lorsqu’on …

Continuous Integration and Testing
By John Dobie, 16 January 2012
How do you know if using code metrics really does help to produce code with fewer bugs.
I am convinced they do, but how can I possibly prove it? All projects have historic data. This is usually stored in your bug tracking and source code control tools. We can use the data stored in these systems to perform ‘code forensics.’ We use the historic data from real issues to see if they could have been avoided.

Extended search engine

The search engine will now return not only projects but also modules, package and files. A picture is worth a thousand words :

Add a review on any piece of code

Whenever a quality defect is detected “manually”, the person who detected it has the ability to inject a violation directly into Sonar:

The related violation is then displayed within the source code and will be accounted for in metrics after the next analysis of the project:

Action plans

Action plans can be created to group reviews together.

An action plan can be associated to each violation

And then it is possible to review progress in a widget of a dashboard

Hotpots 2.0

The previous release allowed to use hotspot widgets in its own dashboards (see Sonar 2.12 in screenshots). It’s now possible to customize, rename or even delete the default dashboard named “Hotspots”.

Time now to give a try to the new version and to read the installation or upgrade guides.