Posts Tagged ‘tools’

Sonar – Open Source Static Code Analyzer

One of the major challenges in today’s software development lifecycle is effective review and testing of software. There are many ways to perform code reviews and walkthroughs, which depend on the reviewer’s efficiency and experience. It involves lot of manual effort to go through the code line by line, review and analyze the code and find defects.

As far as Java is concerned, there are several code review and standard check open source tools that are being used nowadays. The most predominant are Check Style, Find Bugs, PMD. All these tools are very efficient in their own way. There are eclipse plug-ins for these tools, and can be used during the coding phase to avoid standard errors. They help in finding most of the standard and style errors, during development.

All these tools define rules to check the code for various standard and style violations. The developer can either choose to fix all the violations or can also ignore them. Some of them may not be mandatory to be fixed, and some may cause a serious issue during testing as well as when the software goes live. Also collating the results and analysis from three different tools again involves manual effort. All these activities are error prone.

A better solution to overcome these drawbacks (not all of them) is Sonar. An open source code quality management software, combines the expertise of Check Style, Find Bugs and PMD as well as provides a graphical way of analyzing and reporting code quality. Even though there is no eclipse plug-in or any other graphical editor, setting up of Sonar is quite a cakewalk. Just install Sonar and Apache Maven along with JDK1.5 or above.

Sonar provides support for a whole bunch of platforms, AIX, Linux, HPUX, Mac, Solaris and Windows. Just by running the StartSonar command, the server starts up by creating the schema for the default embedded database, which is Derby. Sonar can also be configured for other database, by changing the conf\


Once the server has started, the GUI would appear empty without any projects. The default login is admin / admin, for configurations to be changed. Before configuring a project, its better to configure the rules. The Sonar Profiles are by default defined with a lot of rules from Check Style, Find Bugs and PMD.


To configure a profile, copy a profile and provide a new name to the profile, then change the rules as necessary. The rules can be made Mandatory, Optional or Inactive. Once the rule levels are defined, then set the new profile to default profile to be used for the projects.


Setting up a project for analysis is also quite simple. If the project is already using maven, then after running the install goal on Maven, then run the mvn sonar:sonar goal from the same directory.

Non-Maven Projects need to create the pom.xml file in any directory. The contents of the file as below:


Once the pom.xml is created, then run mvn sonar:sonar to start collecting data for the project. Once the project successfully built, the project will be available in the GUI, for analysis.


ViolationsSummary        ViolationsDrilldown 

Certain features that could have been made available are the integration with an IDE to fix the problem found either automatically or with a ‘Fix Now’ button and also integration with a version control software for continuous integration and review. Leveraging the Maven APIs and Plug-ins for integration with version control software, the latter can also be achieved.

Overall Sonar is a very useful tool for code quality management. If Sonar can be enhanced with the above mentioned features there is no doubt that it will become a necessity for every developer as well as organizations.