Serie of article about Sonar installation
By Jean-Pierre Fayolle, 7 April 2013
Jean-Pierre Fayolle continues his series of articles about Sonar installation with 5 new articles:
Install Sonar – The Sonar webap
Install Sonar – Sonar Runner
Install Sonar – First analysis with Sonar Runner
Install Sonar – Jenkins
Install Sonar – The Sonar Jenkins plugin

• creating filters that choose components and metrics to report on
• building your own widgets and dashboards
• selecting default dashboards displayed
• using the notification services and stay tuned

To start customizing Sonar, you first need to log in.

Creating Your Own Filters

The mesures service located in the top navigation bar enables to choose which components you wish to retrieve and which measures you want to display for these components. Once you have chosen these criteria, you will get what we call a filter. A filter can be saved, updated… Filters are fully compatible with differential services, so you can display variations as well.

We will see later on how to display a filter in a dashboard. See the Measures Service documentation page to learn more on filters.

Building Your Own Dashboards

To make sure you maximize value in Sonar, you have the ability to create your own dashboards and select the widgets they display. Two types of dashboard are available:

• Projects dashboards: to display quality indicators on a component such as a Project, a View or a Developer. Once you create such dashboard, it will be available to any component.
• Global dashboards: to mix any information on different projects. A global dashboard will only be available on the home page. You can look at Nemo for an example.

To create a new dashboard, you can use the Manage Dashboard link from the home page (for a global dashboard) or from a project page (for a project dashboard). Once the dashboard is created, you can then configure by a drag & drop of widgets.

There are many available widgets, but to configure a widget that uses your own filter, you should pick the “Measure Filter as List” or “Measure Filter as Tremap” widgets and choose the filter you created.

Choose Default Dashboards

Now that you know how to customize Sonar for your own needs, you also might want to customize the default dashboard that anyone can see. Once you have created the dashboards you want to use by default, you will need to share them. Once they are shared, go to settings, configuration and Default Dashboards. You can pick from there what you want as default for global and project dashboards.

Subscribing to Notifications

Finally, to stay tuned, you can subscribe to notifications that you will receive by email. Go to YourUserName > My Profile and tick what you want to subscribe to in the Notifications section.

You may also want to receive a quality report on a regular basis. Thanks to the Report plugin, you can select which global dashboards you would like to receive by email as a PDF report and how often.

Time now to give it a try. Enjoy and give us feedback!

Code Quality Tools Review for 2013: Sonar, Findbugs, PMD and Checkstyle
By Adam Koblentz, 12 March 2013
When we released our Developer Productivity Report last year, it was the first time we asked our respondents about Code Quality Tools. Code quality tools fulfill a growing need, as our code bases become larger and more complex, and it’s important to try to automate your code checks as much as possible. They are pretty versatile and customizable, and typically they are integrated into your build process, but can also be run manually in a one-off fashion.

Dependency Inversion Principle
By Monte Wingle, 13 March 2013
This 20 minute video demo shows: How to install and start Sonar, A very simple java project with no dependency cycles, What creates a red mark (dependency cycle) on the Design page, A Sonar analysis showing the cycle, How to fix that red mark using the Dependency Inversion Principle, A final Sonar analysis showing a clean design page again with the functionality unchanged.

Install Sonar – Oracle Loopback Adapter
By Jean-Pierre Fayolle, 10 March 2013
We will discuss in this post how to install a Loopback Adapter needed to use Oracle on a standalone station, such as a laptop for example. The first thing to do is to check if you already have one on your machine.

Analyze a Web Dynpro Java project with Sonar
By Tobias Hofmann, 21 March 2013
Sonar offers two “basic” profiles to analyze a project. Sonar uses Findbugs to analyze not only the source code, but the binary version for violations and possible bugs too. “Sonar way” is looking at the source code. This allows for finding the most common violations with minimum effort. “Sonar way with Findbugs” also takes the CLASS files into consideration.

Install Sonar – Oracle user
By Jean-Pierre Fayolle, 25 March 2013
Today we will use this console to create an Oracle User that will allow us to have a SONAR schema in our database. If you did not keep the url of the Oracle console, no problem. You should have a Windows menu that allows to launch it. Note that you have as many consoles as databases installed, and a corresponding Windows service. We shall see at the end of this article how to disable it.

Can I still analyze my Java 5 project with Sonar?
Absolutely, you will still be able to analyze your Java 5 projects the very same way.

What is the reason for this?
There are 2 main reasons for doing this:

• Oracle stopped Java 5 support a long time ago and it is now time to move on for us
• This will enable us to benefit from many libraries or versions of libraries that only support a JVM 6

It also has nice side effects on the performances. For example, our parsers will run 20% faster when you move from Java 5 to Java 6.

Why did we back out last year?
We made an attempt last year, but encountered a couple of issues. The main one was that Sonar Jenkins plugin did not let you choose the JVM you want to use for the Sonar analysis – it had to be the same as the one configured for the job. This was fixed in version 2.0 of the plugin.

Can I still execute Sonar with a JVM 5?
You might be able to but we will only provide support if you use a JVM 6.

Please come on the user mailing list, should you have any question or wanted to discuss this further.

• Mapping of unit tests and covered code
• New rules on unit tests
• Extension of notifications scope
• Enhanced configuration of file exclusions
• Plugin group and dependencies in Update Center

Tracking of Unit Tests

With Sonar 3.5, it is now possible to answer the following questions:

• Which files are covered by a given unit test?
• How many lines of code are covered by a given unit test?
  
• Which lines are covered by a given unit test?
  
• Which tests do cover a given line of code?
  

This feature is language-agnostic but it is currently only available on Java projects executing JaCoCo.

New Rules on Unit Tests

Two new rules are available:

• Failed unit tests
• Skipped unit tests

Extension of Notifications Scope

Sonar 3.5 extends the scope of notifications. It is now possible to be notified when a new alert is raised. It is also possible to subscribe to notifications on specific projects.

Enhanced Configuration of Files Exclusions

• New inclusion properties (‘sonar.inclusions’ and ‘sonar.test.inclusions’) to specify which files to analyze
• New ‘sonar.cpd.exclusions’ property to exclude some files to be checked for duplications
• Support of inclusion/exclusion patterns by absolute path, for example ‘file:**/src/generated/java/**/*.java’

Plugins Groups and Dependencies in Update Center

• Support of plugins groups: for instance to install/upgrade all the C# plugins in a single click.
• Support of plugins dependencies: for instance to automatically install the required SCM Activity plugin when installing the Developer Cockpit plugin.

Note that this feature will fully be working when a new version of each plugin requiring groups and dependencies will be released.

Time now to let you download this new version to give it a try. But do not forget to read the installation or upgrade guide.

Through the eyes of sonar : Collections.
By Mestachs, 26 February 2013
After Exception handling, Immutable objects, Complexity, Naming and comments, let’s see what sonar can teach you about Collections.

Best practices of ABAP programming – Major defects
By Jean-Pierre Fayolle, 4 February 2013
We have seen previously SONAR ‘Blockers’ for ABAP, whose name indicates that any such violation cannot be tolerated, and ‘Critical’ defects, severe enough to require immediate correction, but for which an exception can be accepted, if it is very rigourosly justified. In our SONAR Quality Profile, ‘Blockers’ focus on anything that can stop a transaction or program and ‘Critical’ on programming practices that pose a risk to the performance.

Comparison of Findbugs, PMD and Checkstyle
By Markus Sprunck, 11 February 2013
The static code analysis tools Findbugs, PMD and Checkstyle are widely used in the Java development community. Each has an own purpose, strength and weaknesses. The following article compares the most important aspects and gives some recommendations for the introduction in your teams.

Sonar Analysis Using Gradle
By James Betteley, 21 February 2013
I’ve been experimenting with Gradle recently, and as part of the experiment, I wanted to get Sonar running and producing code metrics, including test coverage reports. I’m running the first release version of Gradle, so version 1.0.

Install Sonar
By Jean-Pierre Fayolle, 10 February 2013
A series of post about Sonar installation.

Cartography

This is our most ambitious project for the year and I should start by explaining what it is about. Behind this word, we group many features based on the dependencies between methods, attributes, classes, files, modules, projects, teams, departments… Here are the first use cases that we’ll cover:

• Cross-sources navigation: ability to click in the UI on a method call to see its declaration, on an identifier to see its declaration, to click on a COBOL COPY preprocessing directive to see its content, to click on a C function declaration to know where this function is used…
• Ability to find out which files include a C library file, a COBOL Copybook…

From there, we aim to provide the tooling to define and manage the architecture of an overall application portfolio. But I am talking about 2014 already…

Lines covered by one unit test

This is something we started to work on in January and that will be available with upcoming version 3.5. Here are the questions Sonar will be able to answer to:

• How many and which unit tests are covering this line of code?
• How many and which lines of code are covered by this unit test ?

Having this in place will also enable to create some new metrics on unit tests to better understand how “UNIT” they are. Indeed a test that covers a great number of lines of code should surely be considered more like an integration than an unit test. This feature will be first available on Java projects and of course with help of the JaCoCo coverage engine to which we actively contribute.

Issues

We currently hold 2 concepts in Sonar: Violations and Reviews. Those are going to be merged to become Issues. We will also add bulk change ability on issues. Last but not least, past and closed Issues won’t be purged anymore to track past activity.

C and C++ plugin take off

You might know that we already invested a lot of energy in those two C and C++ plugins and that we are going to merge them. From the beginning we really have had a long term vision on C/C++ and that’s why we started from the ground instead of “just” relying on external tools. But that means building a state-of-the-art C/C++ front-end (including a full preprocessor). We’re currently solving C++ ambiguities and from there we hope to be unstoppable on providing some new advanced C/C++ rules.

Java

To cover the Java language, we still rely a lot on Checkstyle and PMD. We want to migrate a substantial number of those rules onto our own technical stack (see SSLR). The objective for 2014 is to not rely anymore on Checkstyle and PMD to get full control of the stack and so to increase significantly the level of support we can provide: reduce the noise, ease migration on new java versions, …

Ability to track and review new code

With Sonar, it’s already possible to track the code coverage on new code and to track all new incoming violations, so what’s the missing puzzle piece ? The ability to track new code in order to manually review it. With this feature, Sonar is also becoming a standard code review tool (post-commit approach). From a release to another it will become possible with Sonar to make sure that 100% of the updated code has been reviewed/validated.

Sonar Eclipse, support of incremental local analysis

Last year, the Sonar Eclipse plugin was refactored to fully support local analysis. This year the goal is to make this local mode usable even with big projects by supporting incremental and differential analysis. In fact most of this logic is now centralized in the Sonar platform so we might imagine one day to do the same in Intellij IDEA…

SSLR, year of maturity ?

Last year we open sourced our code analysis technology to be able to reuse it in most of Sonar language plugins whether open source or commercial: Javascript, Python, Java, Erlang, Cobol, C, C++, Flex, C#, PL/I, PL/SQL… By the end of this year, SSLR should provide out-of-the-box the APIs to build a strongly typed AST, to support incremental parsing (required for instance to solve ambiguities in C/C++) and to enrich the AST with semantic information (symbolic table).
But the SonarSource Language team is also working hard on the API to make it really easy and fun to use and embed SSLR in any kind of java application outside of the Sonar ecosystem.

Did I forget anything? Hmm, maybe that we will develop an Objective-C and a RPG plugin.

See you in 1 year for the “Looking Back at 2013 Sonar Platform Accomplishments”!

Let’s start with a short version of this retrospective. Last year was made of:

• 6 releases of Sonar platform
• 200 releases of ecosystem products
• 65,000 downloads of Sonar
• 12,000+ messages on mailing lists

So I suppose, we can call this a pretty active year for the community. Now, the longer version:

The Plan

One year ago, we had the following ambitions :

Complete support of Continuous Inspection
We added the ability to:

• create a review at any place in the code
• change severity of a violation
• group reviews into an actions plan
• track project activity through widgets
• get notified in case of new violations on a project
• improve accuracy for new violation detection mechanism

We also provided the ability to create a Jira / Mantis / Trac issue from a violation as well as defining alerts on measures variations. What we did not develop yet is the ability to customize the workflow for reviews.

Developer Cockpit: now that developers have the ability to understand and continuously follow the quality of their application, it makes sense to provide them with a service that shows their own contribution to projects.

Done, through a commercial plugin.

Global / Governance dashboards: the platform already allows to customize project dashboards but there is currently no way to create global dashboards.

Done!

Open sourcing SonarSource code analysis technology: the objective is to use exactly the same technology stack in all language plugins, whether open source or close source.

Done!

Code Churn metrics: having an indication of the activity on code is another input to determine the priority of remediation activities.

We did not have time to work on this.

Language coverage
2012 was a prolific year for languages. Support for Python, Delphi, Erlang, PL/I, VB.NET, C++ (commercial) was added. Also, Flex and Javascript plugin were greatly improved with a new parser. The number of rules of the C plugin was drastically increased.

Various improvements

• Detection of cross-project duplications for all languages
• Support for authorization in the LDAP plugin
• Encryption in analysers of DB credentials

Done, done & done!

Beyond the Plan

Obviously, we did not plan for all upcoming innovations for the year. Here are three major features of Sonar that weren’t planned and that have been implemented:

• Measures Service
• Projects Comparison Service
• Overall Code Coverage

And this is also true in the ecosystem, here are four examples:

• New Japanese, Chinese and Portuguese bundles
• Widget labs
• OpenID integration
• Eclipse plugin 3.0 supports C++ and Python

So after all this, what could be an exciting challenge for 2013 ? This is going to be the subject of my next post !

Top 10 Lessons Learned from 2 Years Work with Codehaus Sonar
By Markus Sprunck, 11 January 2013
Two years ago we decided to use Sonar for a beginning Java Enterprise project in one of my teams. In the following you may read the top 10 lessons learned from introducing and working with Sonar in a medium size Java project over a period of two years.

Best practices of ABAP programming – The Blockers
By Jean-Pierre Fayolle, 21 January 2013
What are the defects most feared by most companies? What are the bad programming practices that pose the greatest risk to their business? What are the main concerns of the project leaders and stakeholders? In short, what are the pains in the ABAP world?

Best practices of ABAP programming – Critical defects
By Jean-Pierre Fayolle, 28 January 2013
We have seen in the previous post the most important violations to best practices of ABAP programming. These defects are ‘Blockers’: the code can not go into production until a correction is performed. No exception is permitted: zero tolerance, because the risk is too high to see a transaction aborted and the user unable to perform the desired treatment. We also set our Quality Profile ABAP in order to identify critical defects, these ones focusing on performance, which we will see in this article.

Un an dans le monde Java (French)
By Sébastien Dupire, 10 January 2013
L’an dernier, j’ai quitté l’ancienne boîte dans laquelle je travaillais sur Metz afin de rejoindre ma boîte actuelle située au Luxembourg. Avant, je faisais du PHP/MySQL, Javascript, du Python et plein d’autres choses comme de l’administration système et autres. Je regardais pas mal d’articles de Pythoniens qui aimaient bien troller au sujet de Java (quand ce n’était pas PHP), et cela a attisé ma curiosité. Qu’est ce qui peut faire que ce langage soit si mal aimé des utilisateurs de langages dynamiques alors que la plateforme Android qui était en plein boom, en faisait son langage de prédilection ?

Qualité de code, Sonar, La dette technique et SQALE en 5 minutes (French)
By Mikael Krok, 4 January 2013
L’ère des développeurs barbus enfermés dans une pièce noire travaillant seuls est maintenant révolue. Nous travaillons dans une industrie ou nous produisons un produit : notre logiciel. Il est composé de multiples parties – le code source, il est assemblé et testé au moyens de divers outils – IDE, mails, intégration continue et pour faire cela nous utilisons plusieurs systèmes de production – Test Driven Development, Scrum, Lean.

ABAP code extraction
By Jean-Pierre Fayolle, 9 December 2012
If you are a SAP specialist and have decided to follow our series of posts to find out how Sonar can help you improve the quality of ABAP code, then you know how to access the SAP Workbench and perform the installation of this extractor. If you already use Sonar but know nothing about SAP, do not worry: it is unlikely that you are given access to a Workbench, and a SAP administrator will take charge of this installation.

First analysis of ABAP code
By Jean-Pierre Fayolle, 16 December 2012
The first time I set up an analysis for a new technology, I will make a first test with some files which I am sure have no problem, because this code has already been tested and proven by Sonar, and is downloadable from this page: Sonar Project Examples. In this page you will find links to other pages in which navigate to search for different examples of projects. Or simply click on the link to download a compressed file.

Measures Service

A new Measures Service is now available to easily and quickly execute all kinds of queries on measures and save them as filters that can be displayed in widgets. This service is available for anonymous users.

Comparison Service

Sonar 3.4 provides a new service to compare projects or versions of projects:

Projects Menu

The layout has been improved and as part of this, a new ‘Projects’ menu is available. From there, it is possible to:

• Quickly come back to recently browsed projects:
  
• Access the list of projects, developers and views:
  

Alerts on Measure Variations

Before Sonar 3.4, it was possible to create alerts on measure values only. We have now added the ability to also configure alerts on variation of measures in order to cover cases such as:

• raising alerts when new blocker violations are introduced
• raising alerts when new violations have not been reviewed
• raising alerts when the coverage on new code is below a certain threshold
• …



New Home Page

The default home page has changed to help new users getting started:


Time now to let you download this new version to give it a try. But do not forget to read the installation or upgrade guide.

]]> http://www.sonarsource.org/sonar-3-4-in-screenshots/feed/ 0 http://www.sonarsource.org/sonar-3-4-in-screenshots/