SonarQube - Static Code Analysis | AR Shankar | Skillshare

Playback Speed

  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

SonarQube - Static Code Analysis

teacher avatar AR Shankar

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

5 Lessons (1h 14m)
    • 1. SonarQube Introduction

    • 2. SonarQube Installation

    • 3. SonarQube Console Overview

    • 4. Sonarqube setup with PostgreSQL

    • 5. SonarQube Integration with Jenkins

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.





About This Class

This course is to learn how to do code quality checks on Java code. In this course I have explained as 

1. SonarQube overview

2. Setup SonarQube

3. How to enable Rules, Quality Profiles, Quality Gates.

4. How to integrate SonarQube with Jenkins 

Meet Your Teacher

Teacher Profile Image

AR Shankar


Class Ratings

Expectations Met?
  • Exceeded!
  • Yes
  • Somewhat
  • Not really
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.


1. SonarQube Introduction: Hey guys, In this lecture we are going to see what is sonar cube and what is the advantages of using sonar cube at last, how to set up so not q, to understand sonar Q better, Let's jump into the development phase. In the development phase, developers write the code. Once they have written the code, we need to validate whether they held written the quality Kodak matte quality code. Nothing but we need to check whether it is a bug-free code, R-naught. Is it secure or not secure? Nothing but it is not exposed to any security. Vulnerabilities are problems. Duplication is avoided. Sometimes we may write a repeated code instead of that one. We can write once and we can use that functionality in other places. Maybe we can call it as a re-usability. Then tested properly, whatever code you have written, whether have you tested it properly, then complex core. Have you written any complex code? If so, it will be very difficult in case of any problems I resist are somebody want to understand your code? They will take much more longer time. Sometimes it may lead to confusion under easy to integrate with other scored nothing but maybe you are working with your group of people are in your team, then you need to integrate your code with their code. So in these cases, it should not be creative problem. Apart from these, you can do some other checks to validate your code quality. But all these who can do that is where peer review comes into the picture. Maybe you can ask your colleague who is good in writing the programs, whatever you are writing, and he will review it. And he may suggest to sum up the better comments to your code. But if you are writing lengthy of the programs, reviewing manually zip quite a tedious task. So we need some kind of automation which can help us to review our code quality. That is where static code analysis comes into the picture. By using static code analysis, you can improve the code quality and also it reduces lot of your time efforts. So now let's understand what is the static code analysis tools are available in the market. I have just listed some of the code quality our code analysis tools. So sonar cube, clarity, Rex's re-record court sense. Okay, these are some of the core quality analysis tools among these, sonar cube is one of the static code analysis, our code quality tool. Now, what is the advantages of using sonar cube? The major advantages of using sonar queue B's, it is quality management tool. What do you mean by quality management? Apart from the code analysis, it is also gathered the reports of various testings which you are doing, maybe unit testing reports, code coverage reports, and a few other things. It is going to collect and display in the GUA in very nice understandable format. So if you see here, quality gate is passed. How many bugs you have one or abilities code smells is duplications. Such kind of information is displayed over here, so it is quite easy for us to understand where you can improve. Now, let's understand the components of sonar cube. Three major components in the sonar cubes or web, faster thing, rules, rules, nothing but instructions which you need to follow while writing your code. There are some best practices, right? Those are converted into rules and they kept it. There are many default rules which comes along with your sonar QB installation. So you can run those rules. Next to database. You have rules. These rules are run on your source code. Once that is done, you will get your analysis report. That analysis report you need to store in your database. That is the reason in sonar cubed, whenever you install, you will get your database as well next to the web interface, once you were analysis reports are stored in database through the web interface you can see and understand easily. Okay, these are the major components. Apart from this, we have your Elastic Search, which helps to such required data from your sonar cube database. Next two things. So in our scanner, sonar scanner is your service or isn't, which runs on the system where code exist. Let's take that you have your Java code. Now you want to gather that report off your Java code. In that case, you need to install sonar scanner on the very word sorts could exist and run the scan. Once it runs the scan, it is going to gather the report and that will be get published into the sonar cube. How it is getting published, I will discuss in your well, next thing. Wherever you have your sonar scanner, you should have the source code, okay, that you need to remember next to this sonar scanner can run and generate reports from quiet to different languages. Want to know the list up the languages which are supported by our sonar cube and the sonar scanner. Let's jump into sonar cube website and check it out. You can see here this is the sonar tube official website. And if you scroll down, it supports 27 programming languages. And if you want to see that detail one, you can see over here, these are the languages which are supported by the sonar cube. It can able to generate code quality report of any of these programs. I'll let, let's go back. Next thing we will see how the communication happens between the sonar Cubans sonar scanner. So let's take this. This is your dollar per system are where your source code does exist. And we want to run the sonar scanner over here. So we must install sonar scanner over here. This is the sonar cube server where we have your database and you just think that it is a web interface. So faster step, sonar scanner collects required information from the source code. So in this case you are so score should have the sonar scanner dot properties file in that it will have some of the information that it is going to collect it if it doesn't have, the sonars cannot file, okay, you should generate one. That is the fastest step. Second step is it is going to gather the applicable rules. Let's take that it is a Java program. How does it know? Because in the sonars cannot file, it will have that information. Now sonar scanner is going to pull the rules which are applicable for the Java. In next step it is going to generate the reports. Our scanner runs the rules on the source code and to generate your report like any bugs, are there security problems, code coverage issues, such kind of things it is going to run and you degenerate, report, this report with the help of sonar. It's toast in your database. Once it is stored in your database, through the graphical user interface, we can able to see a visual diagrams are visual reports, which can be easy for us to understand. That is how sonar Cubans sonar scanner works together to generate the reports. Now let's go and set up sonar cubes or where to set up some markets are where I have created a list of the steps in my GitHub account. Let's go and have a look. 2. SonarQube Installation: This is my GitHub repository. I'm going to share this URL in the description of the video. You can go and check it out. Here you can see a directory called the sonar q. If you go Insert, I help her blog files to setup. So on our cube, you can choose this option. And here I mentioned the prerequisites and the installation steps. As part of prerequisites, we need an EC2 instance with the two GB RAM. So T2 small instance can be capable to handle our sonar Q. And the same thing is mentioned in the sonar cube documentation. Maybe you can open the sonar cube documentation over here. And here you have your hardware requirements. And if you see sonar cube server requests at least two GB of RAM to run efficiently and one GB of three round for the Warriors. Anyway, I tried with the two CB system, it is working when. And another thing which we need to notice is supported platforms. And if you see the Java, we should install Java way because so on r cubed dollar but in Java program and if you are using RQL GRE, then we should go with the server-side arc 11. Even in the scanner arc 11, we required similar way of OpenJDK. We need living, we need to install Open JDK 11 before installing R before sitting up. So not a cube. Alright, so now let's go back and we can see here, I already mentioned that these two next thing we need your sonar cube user. Why? Because sonar cube cannot be run as root on Unix-based systems. So create your dedicated user account first on our cube, if necessary. This is what we are going to do. We can create your sonar admin user, which can be capable to handle our sonar cube. Next, to download sonar cube, you can use this URL to download the latest version. I'm just to opening it in the new window. And if you see here we have different Edison's audits. You can go to the sonar Cuba official website. This is so an under download option. Here you can see our layer, the sense community it is sin is the free and open source. We can use this one without any issue. But if you want to go with the developer are enterprise Edison, we must go with the free plan so you can use it. But this is the latest version, I can say nine dot-dot-dot No.1. But if you want to go with the LTE and nothing but long-term support our stable version, we should go with the eight dot, dot, dot and this we can download it from here. Alright, next thing, once we have downloaded just to ungroup it and change the ownership to the sonar user. In our case, we are going to create sonar admin to him. We are going to grant access to this OPT, because I'm going to download it onto OPT, OPT. So an r cubed directory. Once that is done, we should start it as a user. Okay, that's it. After that, we can access it from the browser. Alright, so to start with debt, we need an EC2 instance with minimum of 20 GB RAM. I have already lunch via server under named it as just one r cubed. And it is just now came up. And another thing is if you go to Security Group, okay, we have opened port number 9 thousand. You must to open this port to access on our cube from the browser. Now, let's connect to the system. I'm just copying it. Session, there's a shift and I'm loading my Cupid. Devops key, EC2 minus user. Okay, So I have logged into my system and we need to install Java, right? And also we need to do some setup. That's the reason I'm switching as a root and a clear the screen. And first thing is we should install Java. Let's see where that Java is installed. R naught. Okay, there is no Java installed so far. Now what I can do, I can install Java to do that one, yum list, we are going to install Open JDK, OpenJDK we need to live in, but let's see what options are available. We have Java seven, Open JDK, Java 8, but we need Java 11. Further, we can use the Amazon distribution. Amazon Linux, extra Caesar, Amazon Linux distribution. And you can see list up the packages which are available over here. We are looking for Java OpenJDK 11. This is what I would like to install. So we can give a measure on a Linux extras, install Java OpenJDK 11. That's it. So it may take you a while to install. Let's wait. Yes. Alright, our Java installation is successful. Now let me check Java minus version. Okay, this time it is showing it as 11 dot-dot-dot, dot-dot-dot. Alright. Next thing we need to download the packages for that. I'm going to OPT directory. I don't have anything over here. So to download the packages W get and go to the documentation here you will have your latest version models. You can directly go here. And I'm going to take the long-term support what shunt, right-click and copy link address so that we can copy the link and paste it over here. And you can see here it is downloading. So an r cubed eight dot one, dot two. Again, it may take your well, Get downloading successful if I check the files. Yes, you can see here, so an arcuated dot nine dot two. Let's extract it further. Unjust because it is a zip file. So I'm using unjust. Unjust be successful. And now let's go into sonar Q. And if I check there are multiple piles among these. If you go to the conflict directory, in config directory, we will have your file, file called sonar properties, okay? If you are using apart from the default settings, then you need to update this sonar properties file. Okay, let me open this one and a run through with some of the important parameters among these sonar dot JDBC username passwords. So these are for databases if you want to connect with the database which is running in the other system, yes, you need to enable it. Next to thing is archaeal. If you are running independently database, then what is the database you are using a cutting to that you need to enable. So in next lecture I'm going to show you that Postgres SQL how to use it, okay, we need to enable it. Okay, Apart from these, if you are using Microsoft SQL Server, you can enable like this. You can have different, different parameters. You can upload even you can see here. So not a cube port, it is 9000. If you wish to change from 9 thousand to something else, you can change it. This is also sonar cube web host from very unit to access it, you can restrict that such kind of options are customizable in the sonar properties file. Okay, it will be bit advanced topic. So I'm skipping this one at this moment. So let's go back. And if I check again, there is a bin directory. Under a bin, you can find the different operating systems can support MacOS, Windows, Linux. But in our case we are looking for Linux, go insert to Linux. And here we have your file called sonar dot SH. This is what we need to start. So to start with dot slash sonar, we should go and start. We should do if you don't provide anything, okay, it will give you the list of the options which you can input with this one. But anyway, we should run it as yet another user because root user is not entertained to start it because you were Elastic Search works with other non-root user. If you want to try it out, we can just to try it out. Okay, Let's see what will happen. And it is saying that it is started, but we'll check the status. Now you can see here again it got stopped. Okay, that's the problem. It is not working with the root user. If you want to see what exactly the error, you will have your log file over here, okay, if you go here, PWD, underwater sonar cube directory, there is a logs. Okay. Logs directly under logs you will have your log file. I'm just exploring this log file. And you can see the error explicitly cannot run elastic such as your root, that is the error, which is it is triggering. So we must create a non-root user. For that, I'm going to create a new user. User, so not admin, okay, and the next thing I need to give ownership of the OPT sonar cube way because we have the so node.js which file over there without privileged, we cannot able to start out just so not admin. So what I will do, sorry, see here 21 minus our sonar admin, colon, sonar admin OPT is glass, so on. Okay, so now we have changed the ownership. And if you check the CD slash anywhere in the same directory. And if I do a little, now you can see all our wounded by this OR NOT Q user, okay, if you see earlier it was owned by the root user. Alright, now let's jump in Azure. So in our user. So not admin. And let's jump back to OPT sonar q. Then. See the bin under Linux. Here we have yes or not. Then so not an SH dot-dot-dot. So this is how we can start. Now let's check the status. Okay, it is running fine. And another thing you can check that on which port you are sonar QB is working netstat, sorry, minus T, U, N, P and K. So this is the command to check it out. And if you see here, there is a 9000 40s opened and it is running a byte Java application. Now let's try to access our sonar cubed from the browser. 9 thousand is ready. We can provide the credentials, default credentials for sonar, cubist, admin, and admin. Alright. Okay. In the first login, it will ask us to change the password. I'm just changing the password. Once we have changed the password, we will successfully logged into the GUA off sonar q. This is our GUI and you can see there are various options over here. In next lecture, I will just quickly run through with the water and all these options, how we can use it. That's all for this lecture. Thanks for watching and see you in the next lecture. 3. SonarQube Console Overview: Hey guys, welcome back. In previous lecture we have seen what is sonar cube and how to set up some argue. In this lecture, we are going to understand overview of sonar cube console. If you see here project to tap here, you can create a new project. Okay? You can see this console is pulling up if we are running the reports, but so far we haven't run any reports. That's the reason you couldn't able to see. But if you want to add any project, you can add it manually by choosing this option. And also you can integrate it with another source code management tools, but let it be manually for this term. So if you choose manually, it will ask the project key, I'm going to give the project Kias here, Marvin. And the setup. Whenever you set up, it will ask you to provide your token. You can choose the sum name to your token. So I'm giving the same name, Marvin project under generated. So now we're to generate the token. By using this token, we can able to authenticate our sonar q. Okay, you can use this one. A. The Jenkins or a mapping system, it will get authenticated. Now, if you want to more specific about that, you can just click on Continue. Then it will list out the two water and all options you can choose. Let's say that I'm integrating it with them. So choose this option. It will give you the list of the steps which you need to follow. If I execute this one, I could able to directly communicate with my sonar cube from my Jenkins way because it had the project key, host name of the hour, sonar q and also login credentials. Okay. Key is nothing but a credential, so you need to keep it in a secure way whenever you are using it. That is one thing. Now, once this is done, you can able to see issues. So far we haven't run any analysis, so there is no issues. Once you start running the projects, you can see the issues which are faced with that specific project usually come over here once their code analysis is done, they will try to fix up the issues which are triggered over here. I will show you that as well. Next two rules, as we discussed the previously, rules are nothing but instructions of your best practices. And sonar cube supports various languages, okay, in each language, some of the predefined rules are enabled over here. If you see the Java, we have 639 rules. Are there similar way she shot a 100 plus JavaScript or TypeScript like that, depends upon the language, okay, it has some predefined set of rules. These rules we can use to create the quality profiles. So now what do you mean by quality profile? It is a collection of rules. Let's take that you have your Java application now you want to applicable all these rules. You can create a quality profile with the, all these rules. But by default it will have some quality profiles. And if you see here for C Sharp, who we have quality profile, CSS, Flex, go HTML, JASP, Java, okay, we will concentrate on Java, okay, before that, if you go to C sharp, you can see here sonar width, this is the profile name of projects. It is your default, nothing but by default it will be applicable. You can chain these projects like only specific projects. I want to applicable this profile such ever you can design. And the rules, if you see in the C Sharp, we have how many rules for not one rules, but if you see the quality profile, 253, not all rules are enabled on the default she sharp quality profile. So they are ignoring some of these rules. And when it was updated 16 minutes ago when it was used and never, okay, this is how you will come to know. Similar way in Java we have around 600 plus rate among this, you can see here only 452 we are using in the sonar web built-in default profile. That is how we can check it out. And if you wish to create your own profile, maybe, then you can choose this option. So by choosing this option, you can do you are won't propel them. I'm giving like a madman profile. Okay? And this is for not C-sharp, I'm giving for Java. Okay? Next, created, I have just to create a new quality profile. And here you can see how many rules you have activated in this profile. There are different rules, bugs one or abilities code smells security hotspots for these things, they have written rules. So at this moment I haven't activated any rule on this quality propel which I just created. So inactive, these many are inactive. If I want to add any rules on my quality propel, I can choose this option, activate more. And you can see here, activate, I'm using this one. So activated, again, I'm choosing this one. Well, choosing you can choose the severity also, what kind of issue it is, how I can treat it. If it is not a major issue for this project, then I can make it as a minor. This is where you can activate it. So far I have only activated to right? I can even activate altogether at one go. This is the option, okay, before activating it, if I go here, now, you can see under Java, you have your map and profile under, at this moment only two rules are enabled. And if I click on this and activate more, I can choose all of them, okay? Activating, unmapped and profile a play. So among these, some maybe gets skipped, yes, couple of rules got skipped, but anyway, it is added most of the rules to my. Quality profile. And if you sit so far, six 33 has been added over here. Now assume that I want to make it as your default to profile them. I can choose over here. You can see here sit as a default so that from next time onwards, whenever a new Java program we are running for analysis, then it is going to take this quality profile. That is about the quality profiles. Next thing is quality goods. Let's take that you have run this quality profile, okay? Marvin profile, you have R1. So on your code you found are owned a 100 bucks by running this one. Now this quality gateway, what did you do? How many bugs are there? If these bugs is reaching to the threshold value, then you can limit your work. Is passing or failing, passing nothing but, okay. The quality is good. Failing nothing but the quality is not up to the mark, that is the meaning. So in the sonar cube, we can decide whether the quality is good or not. Let's take that code coverage. If you see here, code coverage is EF Core covers C is less than 80 percent. I'm not going to treat it as zip past two, which means that the quality of code is not good. Similar where duplication lens, if duplication lens are more than 3%, I will treat it as a not good code, maintainability, reusability, security hotspot like that. Two different things. You can activate it. Based on this one, we can treat whether our is good R-naught. Again, these values may vary based on the project and SCDs. If you want to create your own, you can create your own quality gate where by choosing this option. Okay, Let's take that demo project. Okay, so I have created a new quality gate with the demo project and I can add conditions over here, okay, condition condition cover is how much person did is I will mention 90 percent. So 90 percent of the core coverage has to be done. So whatever test cases they have written that should be covered 90% ends up the court. Otherwise, I will treat it as a failed one. How the core coverage does work. Let's take that you have written a 100 lines of code and you were testing, are checking only 70 lens of core, then I can say that code coverage is only 70 percent if you ever test cases are covering our own or 95 percent is of the lines, then I can treat it as a 95 percentage is the code coverage is next to. Another thing is I'm going to add the bugs, okay, duplicate lens issues, critical issues should not be more than 10. Critical issues is more, more than 10. I will treat it as not good code like this. You can add your own quality profiles and even you can make these as a default, okay? You can see your set as a default. So it is going to take this as equality gets with next administration. Okay? There are various options you can do, okay? Security event, you can create users over here a projects. If you want to dilute some projects and, uh, do some activity, all the stuff can be done over here. That is how it is going to work. Alright, now what we'll do, we will try to run one project over here and see the analysis report for that I media mavens or work let me quickly set up your mavens are around comeback. I have just set up your Marvin server and her logged in over here. Let me go to UT and Marion Young, VN minus version. If you check, you can see it is three dot-dot-dot. And this is my mavens server. Okay. Where is my this is my server. All right. Next thing is, I'm going to clone one project, git clone from my GitHub repository. Let's go to GitHub. Okay, hello world I'm taking this is the project. Let me clone it. And get is not there. So let me clone it again. Alright, code is cloned onto my system. Now we need to generate the analysis report, our code quality report off this Hello World program. Further, if you do remember, in our previous lecture we were talking that we need a sonar scan up. But if you are having a map when you don't need to explicitly install sonar scanner. It will come by default so you can execute the sonar scanner are sonar Q goal on your map and commend, it works fine. You don't need to explicitly maintain that. Let's grab that command. If you do remember, well, creating your project, we could able to see the similar way we can grab it. This is our sonar cube. So we have to note the token off the Manhattan Project. So I'm going to create a new one before creating even you can delete it. To delete, you need to go to administration and the projects management. And you can select the existing project and you can delete it, sorry, here. Okay. Once you have deleted again, you can create a new project or else go to homepage and create your project or AID project manually. Then I'm going to name it as yeah, Hello World. I just named it as your HelloWorld project, set it up and hello world project generated. So now we have generated that token, but I want to get the command as well. So for that, just choose Marvin and you will get the command. This is what you need to execute in your project. So now I have my project over here. Here I can run my command. So I'm just copying the command which they just are taken. Let's execute and see what will happen. Okay, it is running, but we are not doing build the yard way because if you see here, we are just two done this, so not, so not there is no buildup. We need to add package. If we knew that the build, this is first time we are running, that is the reason it is pulling the other dependency packages. Katie's running the sonar scan now. I'll read it has been successfully ran. And you can see here, you can access the analysis report from here. And if you scroll up little bit, you can see the quality profile as well. If you see here quality profile for Java, it is so unaware, even it has some of the JSP code and the XML code that is the reason it is running those quality profiles, alright, if you want to change it to something else, we can change it, but that's okay. Let's jump into our sonar cube and we'll see yes, new Cody's of Kim. And if I click on here and the bugs are 0, code smells or two. And if you want to see that detailed report, you can find it over here. Okay, to smells are there there is no bugs in this code. Now what I will do, I will change my quality profile to another one. So Marvin project and just making it as a default. And I will rerun this chord, okay, well rerunning, I will add build option as well. I'm just using the same credentials. So back is and I can do the clean, clean package and also so not a goal. We are running. This term compilation and built also going to happen. Alright, building successful and this time build also happened. And if we see the quality profile, it should be executed Marvin profile, right? You can see here Marvin profile has been executed way because we made it as a default. Now let's go and see the report. So not q. And you can see here when our ability, the stem, it has been added way because we are doing more tests this time. And also overall, if I see 11 our abilities there, and 18 code smells this time it is more. And if you see the date three minutes ago, it has been started and it has been executed. That is how we can run our, we can change our quality profiles and also I can make it as a failed. How I can make if for courts mills are less than 20, I can make it as a failed as well. And if you want to know the more details, you can go to the issues. And here it will display that each issue, what is the issue? So that $2 bus comes over here and they identify the bugs are critical issues, all the stuff, and they act on this based on the priority. That's how it is going to work. That's all for this video. Thanks for watching. I hope you found this video valuable. 4. Sonarqube setup with PostgreSQL: Hey guys, welcome back. In previous lectures we have seen how to what is sonar cube where and how to install on our cube. Next, understanding this on our cube g way. In this lecture, again, I'm trying to show you how to install sonar cube, but it is little bit a different way because whenever you install sonar cube by default it is going to use the default geodatabase. But in this case I'm going to create a database as a separate one way because in production ready environments, that is how we need to set it up. I have already done similar kind of video for the operon, those snarky version 6 dot txt. But now they have done some changes and they beat the drum, the support for the MySQL databases, that is the reason I'm trying to create this document once again, are this momentous are not QB is supporting only for MySQL server, archaeal and PostgreSQL databases. So in this case, we are going to see how to set up sonar cube roots of the postgres SQL. And these are the instructions which we need to follow. But before that, I have already explained at this diagram in our previous lecture. But let me quickly explain. So there is a sonar scanner where you are, how they're easier. So not scanner is kind of agent for your sonar cube server. And it resets on the system where you have your source code. So it runs the source code, runs, it runs the analysis on source code under generating a report. These reported is going to share with you the sonar cube and it is stored in the database. Whenever, whenever you want to retrieve that database, you are going to use the such services like Elastic Search to retrieve the data in the web server, that is how it works. So the maser components on this one is a web server and the elastic search under the database. So these are the three major components we are having on the sonar Q. Now we are going to use these two as one server. Now we can set up, now we can set up these two in one server under this one in setup, under this one in the separate system. But for this demo I'm setting up all these in the same system. However, I will treat however, I'm going to install database separately and install sonar keeps up deadly. And we'll integrate these two. That is what, that is what I'm going to do. And the next thing, there are some system requirements which we need to follow, and also some steps we need to follow. Some steps we need to follow, which are not mentioned in this document. So with all those steps, I created a separate document in my GitHub repository called a DevOps. And if you go here in the Integration with this, if you go here, if you see here. So not cubed with the database in this document I kept on the system all the steps and that there is one more there is one more there is one more document that is set-ups on argue it is a inbuilt, a database. Okay, anyway, we have covered this in the previous lectures. Now it's time to cover this one. Let's go Insert. And I have set up all the steps which we need to follow. Foster thing is pre-requisites. We nearly an EC2 instance. This time we are going to use the Ubuntu system with 32 smart way because we need two GB RAM minimum. Next to install Java 11. So to install Java 11, we can use these 12 LI store to under to install. So first we need to update to install Java. First we need to update. Then we can check for the, then we can check for the OpenJDK and installed OpenJDK. Next, these steps I held corporate from the PostgreSQL official were upset. So these are the steps to install Postgres database. Okay, this is to add the repository under key. Once that is done, we can install the Postgres database. After that, we should create a password for the user. Whenever we install database, it will create a user called a Postgres. And we are setting up the password for that. After that, we need to create a database and database user where we are going to grant access to the database. In this case, we are creating a sonar cube Azure Database and sonar as a database user. After that, we need to restart our Postgres SQL services so that it will take effect. Next. Postgresql. Postgres. Postgres, postgres SQL is going to run on 5432 port. You can just check it out by using the start minus 2. You GLP-1. If it is not working, try to. If it is not working, use these commands to install net start. Use this command to install netstat. After that, the remaining steps I held corporate from this on our official documentation. So we need to do some system configuration changes, that is class UTC So these are the number of files you limits on the stuff. And also we need to add the limits. Once this is done, we need to reboot our system to take it effect to, it is, it is not going to take effect immediately after that. This, after this procedure is to download some archaea band, set it up. So these are the steps to download. And I was discussing about the sonar properties file in our previous lecture. Where we need to update the username and password and some of the other information we should update. And this is actually talks about the database. If you have your database in our local system, you can use the local host. And if it is in another system, you need to specify the, another system with the port number so that it can able to connect with you what database? I'll read after that to run sonar cube as a service, this is the file we just need to create it easy, extra step I can say otherwise you need to go to this location and you can execute it. And one more thing is, this is what we need to concentrate if we are going to download it under OPT and we are not renaming it to true. So in R cubed, it doesn't work as expected. Maybe I will explain while doing it. Okay, but now let it be and are clashed. What we need to do is we need to give ownership to the, our sonar cube directory to the sonar user way because we should not run. Sonar keeps service as root user. That is what we told and we have encountered an issue with the Elastic Search as well when we were doing the sonar setup in our previous lectures. Okay, at last we are going to, at last we are going to reload and we'll start this on our cube service. So for this, we need an EC2 instance that to 12 system where because the steps which we are following over here are blanks to the Ubuntu operating system. So let's go here and start sitting up here we're going to system. And I'm choosing the Ubuntu system. And at this time this is T2 way because we are going to use it for the sonar cube gas. Well, it requests the two GB RAM and a name. So not so Q when giving, okay, there could be another server with others on our cube name and select the security group. Not this one. Yep. Sonar keeps server and launch it. Alright. So it may take your well meantime, but I will show you this, okay. In case if you are encountering any issue while following the steps, you just need to cross-check the steps. That is, you should open the port number 9 thousand in the security group, which I have already done, and start the sonar cube service as a sonar user in this case. So NADH is the user and they use the character database credentials in the sonar properties. And this is used not user, use instance which has at least 22 GB opera. Alright? So I hope that the system could be ready by this time. Let's connect to the system. Copy the public IP. And yes, this shit. Let me load the key pair and Ubuntu. Okay, Username is Ubuntu, ubuntu system. I'll do it. I help connected to the system and clear the screen. Let me become a root because we are doing administrative activities and go back to our documentation. So we need to install Java. So this is before installing Java, this is to update. I'll let updation is completed. Now I'm going to install Java APT list, which will show you the, I think all the files out of this, we are going to grip Java, Open JDK live 100. Okay? Open JDK minus 11. Yep, so OpenJDK minus 11. Among these, we are going to use the Open JDK 11, JDK, JDK, nothing but the Java Development Kit. Usually it is necessary if you are doing the development. But for us the GRE sufficient. But however, if you install JDK, it automatically brings sludge area as well. So let's install JDK, APT. Ie. I'll let Java in. Java installation is completed and extra thing is we need to install Postgres, postgres SQL. So let's go back and these are the steps to install postgres SQL Cluster thing is we are adding the repository, then adding the key next to we are updating our next we are updating our system with the latest files. Then install dot postgres SQL, okay, that's here to copy it and go to the system and install it to your system. Ctl, status, postgres SQL, okay, it is that you know, now next thing is we need to do some modifications. Next thing we need to create the database before that, if you see the next thing is we need to create a database person RQ. Before that we just need to see the user which is created by the Postgres database, that is Postgres. And I'm going to set up the password for this. And Postgres. I help you when DevOps at 123 and a bit. So password. Now password has been obtained under, let's switch to postgres SQL user. Now we are going to create a database user. The database username is user. Now we are going to create a database user. Database user can be anything, we can use the sonar, sonar, anything. So in this case I'm using sonar. Okay, create user. So as a database user, I'm creating a user, that is sonar. Once you have created, you can switch to the PSQL to jump into the database. And here we need to create a table, grant ownership to the sonar user. So what does it mean that foster thing, we are adding the sonar as the admin user in the database level. We are adding, we are giving the password for the sonar, the abuser as the admin that is encrypted, then we are creating a data. Next we are creating a database with sonar queue. Next we are creating a database Azure. So an R cube and Warner is sonar and we are granting all privileges privileges on the database to the so not you've been to date. Next, we are going to grant all privileges of your sonar cube database tooth sonar scan, sorry, sonar user. Okay. That is the meaning. Let's copy this and create this database. Okay, I think could double time it got copied anyway. So we have granted access. That's it. Next thing, we just need to restart our server, not Postgres it, Sorry. We just need to restart our Postgres database. So we need to just to restart our Postgres SQL. So let's oops, okay, restarted. And if we want to see the, oops, not here, I need to come out from the database. And the startups. You've been not as a user, we need to run it as root user. Okay, we just restarted it. Now if I check the status, okay, it is running. So now it is. So now it is running. So now it is running. Let's go back. And next thing is we need to do some operating system level modifications for that. Yeah, one last thing is we need to check that whether it is running on port number 5, 4, 3, 2 are not only thing is made to start minus 2 year LPN, okay? If it is not working, it is clearly giving the instruction, okay, by using this one, you can install the start command. Next pair on the same commander. Now, you can see your database 54 3D, sorry, 5, 4, 3, 2. It is running. So Postgres SQL is running on 54325432. All right, next. So next we are going to do some operating system changes, operating system level changes. So we just need to copy it. And if you want to know more about it, just to copy this URL. And you can see the, all the requirements over here. Hardware requirements is two GB and Java 11 is required. And if you scroll down, okay. You can see here you can set the dynamic and the deceased dynamically. However, we need to keep it as a permanent. That's the reason. That's the reason I'm updating in the slash, ETC. Slash, slash, ETC, file. Similar with these a lot. So these also, so I'm updating in this file. Alright, let's go and do that one. Va. So sorry, here. This is the file. And F to G. I'm just going to end up this one and insert mode. Now copy the values. And so these similar way, we are going to update the limits file, VA, slash, ETC, security limits, CIF to GI, GU, and copy the values which we need to update and save this file and that's it. And to make it effect, we need to reboot it. So you need to 67 giving in its sixth is a Commendatore. Whatever system even reboot also could work. Depends up on the Linux operating systems. Once our system is up, we are going to set up the sonar q. So meantime, you can download the sonar cue from year. So if you click over here, I think I have already explained in our previous lectures that, okay, we have different datasets. We are going with other community edition way because it is free and open source. And the remaining, you can still use it by enabling the free trend. So this is the VLDL version, long-term support. So we are going to use the long-term support one, sorry. Cancel. So I will just copy it into my clipboard. So let's go back and think about system might be off by this time. So it's still coming up to, so it's up now. It become neurotoxin. Clear the screen and the COD. Well, so far the underworld we did nothing is there. So W get under that link, downloaded it, extract it on zip. Unzipped sonar QC. Okay, Unzip is not installed. Unzip again. And I'm going to rename it. This is what we are going to talk. Okay, Let it be for now, and let's go here. Okay? Now we need to update the sonar cubed JDBC user. Okay, you know right to username and password. And let's go and connect to it to this system that we need to update under con for directory. So we have yet so not dot properties just to editing. And by default all the parameters are commented out. So I'm uncommenting this. So username is we have created it exists or not, right? And the password is admin, okay? If you do remember those information we have specified over here, okay, create user, this is database user and password, okay? Once that is done, we need to update these parameters. Will JDBC URL. This is weird. We need to specify our database. And if you come down little bit, okay, you can see here postgres SQL. Postgres SQL nine dot three are later. Postgres SQL nine DOT 3 or greater, we should use it. Okay. Anyway, we are using that on one lighting. I MR. to show you that. But anyway, you just need to uncomment it. And another thing is our database is located in our local system. That is the reason we need to specify localhost. If it is an another system, we need to specify the IP address of another system. That is the only change. And this current is schema is not required just to kill, so arguably is sufficient. And one last thing is this is MySQL. Let me search one last parameter that is so not search. Okay? So slash. This is where we need to do. And that's it. Okay. That's it. Now let's save this file. Now what do I, what I have done is in our sonar Q properties, instead of using the default database, you would just go and connect to the database which we just created. That's it. Once that is done, we want to add our sonar cube service as here. So in our cube as a Service so far that one we need to execute it. Velcro already done the cat. So it is going to create this file and add this content to that file. So that's what I'm going to do before that. Let me check this. Well, okay, So this file doesn't exist and I'm creating it in one shot and turn. Okay, Now, these findings has been created and content has been added. And if you see the stuff, we are starting it as this or not, a user and a group, also sonar and the execution start. We're easy. Well so Node.js yet, but in this case, our directory name is so in R cubed minus 8, 9 dot-dot slash, so-and-so dot sloan. So, so this, we need to change it as it just to so an archaea, then only it will be possible to start. Other ways. You need to give this name given in this location, okay, either way does work. And if you go come out, I meant to say if you come out from the directory and if you do a allele and the go-to been, here we have your Linux and yellow. So this is where we have yes. So in our cube dot SH is that if you'll do that PWD. So this is the path you need to mention here, okay? But here, just to sonar cube is there. So to make it aligned, what I will do, I will go to PT and I will move this one too just to do sonar queue so that it will be aligned with what information we help provided in the EXE start and stop location. Okay, that's it. And, uh, one last thing we need to do is owning the, sorry, giving the ownership of this slash OPT sonar cubed plus on our user. What I'm doing is user at, I'm creating a user called the sonar. Well creating just to make the slash OPT. So on r cubed adds his warm directory minus D, nothing but a directory. That is one thing I'm doing. So I have done that and we need to do on our ships still it is owned by the route on leave you check ls minus yell. Sorry. Okay. You can see still it is worn away the route see here to1 minus our sonar columns or not. Okay, now if I check which should be on the weather, so on our user, that's it. Now let's start this on our cube. So before that, we just need to reload the edema and the system CTL. Start sonar, dutch service. Okay, So there is a typo. Let me copy it here. System CTL, start to sonar cube dot service. Okay, so let's enter and you've fed check. Now, maybe you might be thinking that, okay, I'm starting it as a root know, because we have updated in the configuration that whoever starting it, it has to start with the sonar user only. So no ps minus here to grip. So now if I search, yes, it started and if you see the user, it is so on our user. And also to disturbed minus 2 you LPM, which should be running on port number 9 thousand years. It's running. And let's connect to our database, sorry, sonar cubes are aware. Okay, what is our EC2 instance? Ip, this is the public IP colon 9000. Under it, it is getting ready. Once it is ready, we are going to set up the password and we'll see they use a name as our admin password. We set up the sonata, and this one I have already explained to understand the sonar cube console in our last video. If you haven't checked it, please go and check it out. And the next video, I'm going to integrate this sonar cubes or what are we to the Jenkins so that you can understand how we can run the projects from the Jenkins. And also in our previous lecture, we have seen how to integrate sonar cube roots of the mapping as well, right? Alright, so that's all for this lecture. I hope we're alright, that's all for this lecture. I hope you found this video valuable. Okay, That's Alpert, This looks okay, that sulfur, this lecture, I hope you found this valuable. Alright, that's all for this lecture. I hope you found this video valuable. Please show you what support by subscribing to our channel. Yet thumbs up if you liked this video and we like to hear you, please comment out in the chart window if you have any questions. Thank you. See you in the next video. 5. SonarQube Integration with Jenkins: Hey guys, welcome back. In previous lectures we have seen how to set up sonar cube or in the console war you of the sonar cube. And in case if we are running sonar cube with other different database, how does it work? In this lecture, we are going to see how to integrate on our cube root of Jenkins so that whenever we run any job, it should be able to run the code quality analysis as well. For this, I helped prepared list of the steps which we should follow and updated in our GitHub account. Let's go and have a look. This is my GitHub repository and I'm going to share this URL in the description of this video. And if you see here, we have your directory called a sonar q. Under this, we have a file called integrates on RQ beauty Jenkins. And here I have listed the list of the steps which we should follow. Faster thing is we need a sonar cubes or what? Yes, I have already set up your sonar cubes or worth this is up and running. And an extra thing here, Jenkins server. Yes, this is our Jenkins server. These two are up and running. I have launched it on AWS. You can see here Jenkins server under sonata queue. Next thing, answer on our cube, we need to generate your token which can authenticate from our Jenkins system. This authentication token we are going to use on Jenkins. And the next, um, Jenkins server faster thing is installed. So an RQ plug-in Next to configure sonar cubed Credentials, these credentials place, we are going to use this token. Next thing installed sonar scanner in our previous lectures, we were talking about that wherever we have occurred in that system, we knew the US on our scanner. That is the reason we are installing it over here because we are going to run the analysis on our Jenkins system. At last we are going to run the pipeline job to generate code quality analysis. These are the steps we need to follow. And the pipeline, I have already created your file for that one and kept it in the same directory. That is so not a cube. And if I open it over here, this is the pipeline script. I just mentioned the loose stuff, the steps which we are following in this, we are going to get the chord built at last sonar Cuba analysis. These steps, I help copied it from the disk steps I copied it from this sonar Cuba official documentation itself. If you see sonar scanner for Jenkins, and here we have yet sonar scanner for Marvin. These are the steps I copied. Anyway, I'm going to do this link in the description of this video. You can check it out to get more detailed idea. Let's go back. And I'm going back to again into our documentation As but this one, these two steps are already completed. Next thing is we need to generate your sonar cube token. For that too, Let's jump into our sonar cube server. Here we need to generate your token. We can generate your token for your project so far that ADEA project are you can choose here also earlier project. Either way is fine. So I'm choosing this one. And while adding our project, we can integrate this one with the dark without version control systems aren't. We can choose the manual with far now I'm going to use the manual way and we need to provide the key name over here. So here we need to provide your key name and a discipline him. And how given demo app project as a key name as well as discipline him next to setup. And here also we need to provide token Nim. I'm going to do the same name and generate. This has generated here token. This is the token which we are going to use in our Jenkins. Now, let's go back to our Jenkins server. Here we need to install plug-in. That is what we need to do as part of the documentation. So we have completed the step now on Jenkins server installed, so not q plugin. Let's go to Jenkins server. And to install plugins, go to Manage Incans, Manage Plugins and available. Let's search for sonar cube. Okay, here you can see sonar cube scanner. This is the one we should install. Install without restarting. The installation is successful. Now let's go back and the next step is configured. So an RQ credentials and further managing chins, manage credentials. Here we need to add credentials that is under Jenkins. Then global credentials. Here we need to add credentials. Now the credential type, what we are having easy key, right? So this is the token and we don't have a username or password, that is the reason we need to go with you the secret. Let's choose this one and the secret text which we are going to copy now. And I'm going to name it exists. So on RQ token, so ID and a description I have given as S on RQ token. Okay, to add the credentials. Now, let's go back to dashboard. Next thing is we need to add our sonar cube, the Jenkins. I miss that step to add over here, I will add it. So let's go back to managing chins and the configured system. We should go here to add our sonar cube with other Jenkins. And if you scroll down over here. If you see here, here we have yes, So our cubes or work here, we need to enable this checkbox environment variable. It should be available for the built environments. Then add sonar cube. Here we should provide the name. I'm going to do sonar cube. 8 dot nine. Okay. Eight dot-dot-dot to take the detailed Watson. That is the Watson which we are using here. You can see here Watson, a dot nine dot two. So it's easy to identify and the URL of our sonar cubes are well. So this is the IP address. And be careful while using the public API because it will be keep on changing whenever you reboot your system. That studies and in real world, we will be using only private IP addresses. An extra thing, authentication, we have already added our token. With this token, it can authenticate to, to our sonar cube server. That's it. Now our play and say, and one last thing what we need to do is installed sonar scanner. This installation we can do in the CLA off this Jenkins, nothing but login to the Jenkins with the associate and we can install it over there. Arles. Another option is managing chins global tool configuration. And if we scroll down over here, you can see so on our cube scanner, ads on our cubes cannot. Here we can choose installed automatically. And I'm going to name it as is. So I'm r q cannot for dot six, dot-dot-dot. Okay. So this is another way. It is automatically installed, this version on our Jenkins, our play, and that's it. We are ready to run our job with us on our cube analysis, our core quality analysis. Further two, let's go on to create your new item. Here. I'm going to name it as a sonar cube by plane. And this is your pipeline job and working. And nothing to do over here. Anyway, we help pipeline script. Let's copy that one. We need to do minor changes to our code according to our configurations. Let me copy it, just click Andra and take it, then copy it. Here. If you see Foster thing is we are going to run on any agent. Anyway. We don't have the slave system. That's the reason it will run over here next to the part up our Apache Maven. I have installed my Apache Mahout and under this part, that is the reason I mentioned it over here. Okay. If dislocation is very far your environment, you need to change it. I will just show you. So this is my Jenkins are already paid on Ambien. What Shen, okay. You can see here this is Marvin home slash bin. Same thing I help provided over there, right? So slash OPT and Apache Maven path slash didn't. Let me increase the font a little bit. Next thing, get cord. This is the code I'm going to use it, that is Java login app. Next thing we are going to build the code and to build a chord, we are going to use a command called Yang Bian clean package. And this Ambien look for in this part in case in this path mapping is not available, this build step is going to fail. At last, sonar Cube analysis for this, we can defend us on our scanner any way. If if we are installing automatically, we can disable this option. Want to enable, we can enable and we need to provide the name, but we have given in the global tool configuration, but am just disabled it. And the next step we are going to use the sonar cube E and V. That is sonar cube eight dot one dot two we have given this should be matched to our Jenkins system configuration. At last we are going to run the Marvin's on our dots or not. This is the goal we are executing. That's it, a play and save it. Let me bring it to normal size and build out. Once we build this, it is going to build our code. Then it is going to communicate with our sonar cube and generate the reports over there. So first the thing clone is successful, then build is happening. If we wanted to see the things, what is going on, we can just see the console output building successful. Now you can see sonar goal is running. Okay, our building successful. And if we see here analysis successful, it has been successfully analysis level cord. And we can open this one by going here, adults, we can open it from here itself. Okay. Here you can see the report Arles, let me open it in a new window. Same thing you can see. This is the report under the oral report is Pastor. Okay. Here also you can see it is passed, so it has 15 bug JIRA, what it is, and the hotspots court smells, and a few other options. Let's open this one for more detailed information. You can see here, this is where I'll cord, these are the bugs, these are the security hotspots and few other things. And usually this is access to by their dollar per se and that they can review their court over here. Nothing but how many bugs they got and what are those bugs? So these are the bugs which are generated. Next one, if you click on this one, it will give them more detail with this bug occurred and some recommendations also we are going to get. So this is how we can able to find it. Again, if I go to overview and if you want to see the Alda issues, you can click over here. Here. It will distort the Alda issues. Next two thing. If I go to overall. And the RLC, if I go to dashboard, next thing, how does you to generate it, this report? Next two thing, how does you to identify the bugs? It is based on the rules, okay, here we have the list of the rules, right? So for Java, we have the list of the rules in these rules are applicable by using the quality profiles. I mean to say for Java, we have air quality profile called the sonar. These rules are applied on our code. And among these rules, whatever issues it feels, those are triggered over here. And we can change this quality profiles with more rules. As we'll see, we have 600 plus Java rules, but 452 are applicable. What I will do, I'm going to create a new quality profile for that Create. I'm going to name it as a test to propel for this. This is for Java and created. While creating, I'm going to activate all the rules which are applicable for Java. For that go to the bulk change option. Here I'm adding all the rules which are applicable for Java to that test profile. I hope, except the six remaining all are going to get added to this one. Yes. Six 33 has been added in a way. Now I'm going to run the same code by applying the new profile for that, I can make it as a default, set it as your default. And you can see the minor changes in this analysis report. I think the bugs could be same, but we can see some of the changes to the current analysis, okay, just to remember that what we are having here, we have 38 courts, mills and biosecurity hotspots. Now let's run this job once again. Build a note and let me open it. Alright, building successful. If we scroll down a little bit somewhere, we can see the water quality profiles are applicable over here. You can see here quality profile for Java Test to propel. This has been applied. And if we go and check in the previous bill and minister to show you there, it should be definitely sonar away. Okay, if I go to the end and if I scroll up, Yeah, you can see here quality profile sonar. We're, now let's go back to our sonar cube. And if I click on the against sonar cube and you can see here 95 code smells bugs is 15 only, but one other voltages are three earlier, there were no vulnerabilities. And if I click on over here, here it is saying that you haven't done that any new code to this one. But if I go to the overall, these are the three vulnerabilities, security hotspots. 95 courts melt. So it has done the more detailed analysis. This is how we are going to use the quality profiles. Similar way we can use the quality gets. Here, we can change these values according to the project and the city of God according to the project chronicity and we can apply this quality gets according to that it is going to calculate the bugs wonder abilities. And if these bugs are one or abilities are below two threshold value, it is going to make it as a failed. Alright, that is how we can integrate sonar cube with the Jenkins and run the code quality analysis reports. Thanks for watching. I hope this video. Alright, hope this. Alright, I hope you found this video valuable. Please show your support. Alright, I hope you found this video valuable. And the police showcase your support by subscribing to our channel art, liking this video, that's how we can deliver more interesting content in our channel. Thank you. See you in the next video.