Skip to main content

SonarQube LTS comprehensive study and 6.7 evaluation

https://www.sonarqube.org

The elegant and comprehensive static code quality analysis tool's latest LTS - 6.7 was out by end of 2017. From LTS stand point of view every version shows significant improvement from the predecessor, in case of SonarQube there have been three LTS so far, 4.5; 5.6; 6.7. Sonar, as it was called when it was started had a very humble yet powerful thought of analyzing java code with existing static code analysis tools like pmd and findbugs and persisting the report in database. This opened new opportunities for PMO and people concerned with productivity as it preserves history of project.

But Sonar was still only helpful for java developers and was almost exclusive for maven. By becoming a part of Codehaus projects it became more popular among maven community, around the same time they were recognized with Jolt award. Sonar started getting more attention, and they indeed lived up to it. Sonar soon incorporated other languages analyses into their arsenal. An interesting decision was made at this point, they ditched their approach of being aggregator of static code analysis tools to becoming an independent one. This move was in-fact essential and important for being one stop static analysis solution for all programming languages.

SonarQube 4.5 LTS is the first version that broke out of "java as first citizen" cocoon to give multi language support under single project and implemented SQALE methodology for calculation of technical debt. The version also marked the step towards establishing themselves as for profit organization, as they started offering commercial plugins for language analysis and PMOs (governing and report generation). Writing custom rules for SonarQube became elegant as they started using their own AST instead of using Pmd's AST, I have written about 50 on my own and it would have sucked big time if I had to use Pmd of XPath of Pmd! AST or Abstract Syntax Tree is how a code traversals through another code, its very intriguing to think of something like that ain't it. The Enterprise offering demanded availability and SonarSource came up with first Active Passive clustering guide. IDE plugin initiative helped them move away from the label of blamer, as developers can perform preview analysis in IDE itself before committing new changes and bugs. As far as architecture is concerned inclusion of Elastic Search improved search.

SonarQube 5.6 LTS made considerable amount of changes from architectural stand point to support changes at different level. Clustering was foremost, as SonarSource started offering cloud solution; even before this they had https://nemo.sonarqube.org/ which was more of SonarQube's demo which was primary used by open source project; I gave it a go when I presented SonarQube for Chennai devops community. The pre-commit analysis was expanded to support comments under source code repository, it was cool both in paper and in action. If you are working in big organization or open source project and kept getting pull request this was a boon for you, as it helps product owner to decide it the new pull request is to be merged with development branch - my trial. Most important change is the decision to split analysis into two phase, one at analyzer - mostly your CI engine and the second inside SonarQube's compute engine. And the UX improvements and re-organization of rules based on categories as one of bug, vulnerability or code smell from previous categorization model based on 5 level severity, also this gave every fresh look and feel.

SonarQube 6.7 LTS marked the arrival of aggressive commercial versions of Open Core SonarQube. The pricing was changed from edition based to LOC based from SonarQube 5.6 itself but that was only going to help small organizations but the new change was made at Compute engine level so as to force organization to move to enterprise version if they have multiple projects continuously analysed. And this is why careful evaluation of your needs and your budget allocation is required before proceeding with SonarQube 6.7 LTS. From Technical stand point SonarQube introduced branch analysis, i.e., you can continuously analyze your regular release made from trunk or master branch and also keep track of feature release being developed in different branch, neat isn't it. Also Sonarlint the plugin for IDE was better integrated with SonarQube or SonarCloud by having improved notification mechanism. Elastic search was upgraded improving the already smooth search experience.

So what is to be evaluated? SonarQube 6.7 sound awesome right? Yes, in-fact now more language has received first class citizen status along with jvm based languages, js and c#; also php, python, flex are all invited to party. So the hitch? compute engine, did not explain on purpose; before compute engine all he analyses and data writing happened outside Sonarqube server. Server essentially was an instructor on how to analyze and where to store, analyzers did all the heavy lifting, SonarQube server concentrated on displaying issue and managing action plans and so on. With Compute engine, SonarQube server became active participant in analysis stage also by taking over the job of persisting data. This control was leveraged in new LTS, from now community version will only support sequential data persist and thus putting a block on number of parallel analysis happening at a given point of time - only one project can be persisted you have to pay more for parallel persistence of analyzed data. On average Compute engine takes 2 seconds to 5 minutes to analyze a project even bigger once if you can tolerate this you can go ahead and upgrade/start using SonarQube 6.7. If you are huge organization and you use SonarQube as a center piece with it analyzing 20 plus projects every hour then consider upgrading to Enterprise version. But before moving to commercial landscape you might want to make yourself familiar with Kiuwan, Checkmarx, Fortify as their offerings puts security along with static code analysis. But when it comes to static code analysis SonarQube is still perfect with report accuracy. 

Comments

Popular this month

Puththu kovilum Putho tilesum, as they are built

Its the grand Aadi season here in Tamil Nadu wherever you go you'd be followed by awful noise from no mercy speakers masqueraded as a devotional song. Yes, this is the first post dedicated to it. Hindu is not a religion but it's idealism, a way to unite people, that's perfectly constructed by assuming separate task to every God, no single God worship. Hindus moved from nature worship to idol worship, but that doesn't mean that we don't have nature worship we have created an idol for them and continued to worship them in a different form. Snake is a beautiful reptile, I have made friend with few too... Our ancestor found the natural law, 'every living creature on earth is important for the ecosystem to be balanced'. Maybe to make sure snakes are not killed fearing their venom they made them as God too! Not just idol snakes, they are worshipped as they are at their  conquered (from rats and termite)   nest or  puthu . Puthu as it used to be in open

Up and Close with Sudalai Madan: The Encounter

Night of 13th April all the preparations for the rituals were done in the temple, Sudalaimadan swamy was decorated with flowers, fruits and coconuts; the dedications reached above his chest. My cousin Sudalai Muthu, senior priest of the shrine reached home by late-night got blessings of his father Late Shanmugam Sundaram also previous head priest and blessed the family members in room dedicated for God, then started towards the temple. People have already gathered in huge numbers and were waiting for the Sudalaimada Swamy's arrival at Temple. Different rituals were offered by people to the Lord in order to get the blessings. As it is believed Sudaimada Swamy, the son of Lord Siva used to consume meat in Kailash for this reason he is sent to earth, where he can satisfy his earthy hunger thereby not polluting Kailash. Sree Aaladi Padmanabha Sudalaimada Swamy Temple, Kumarapuram Offering meat to Sudalaimadan is the most important and watchful event of the festival. Many devotees off

Perfect Farewell 2011 - New Year Welcome Bajan @ HOME FOR CHALLENGED CHILDREN

Every year from the month of November to January it is Ayyappa bajan season in my life. Usually the place where we perform Bajan would be home (residence) at times it would be temple if requested since we are not professionals neither we charge nor encourage it. Unlike ordinary Ayyappa bajan we do Samprathaya Bajan which follows a fixed format which has always received appreciation. A simple call from an acquaintance whom we met 4 years ago in train on pilgrimage to Sabarimala fixed a date for bajan in “HOME for challenged children” in Anna nagar, Chennai. Since I have just joined a job still in training period I was not allowed to take leave unless it is really an emergency. I decided not to go because I was getting tired of working hard, that week was really tough because of storm. After all that rain and storm on Friday my organization declared a holiday for us on 31 st (Saturday) also the last day of 2011. Without any further delay I decided to go there and update the same on

Even bull shit can take you to top

Once there was a bird who was so complaining about its illness which is not letting it fly to the lowest branch of tree. The bull which was hearing this smacked some flies on its dick and started "well then have my shit you'd get better". On hearing this the bird sitting on the back of bull got shocked but hesitantly it was ready to give it a try. The day after bird overcame its thoughts and started pecking on the dunk, first day itself bird was able to fly to the lowest branch of tree. Excited the bird took more shit and the following day, its was becoming healthy and fat. Within a week it got so well that with few strokes its able to reach the top of tree.  The farmer some feet away spotted the bird, went into home came out with air gun and shoot the bird down. Moral of the story: Even bull shit can take you to top, but it won't help you to stay there This story is pretty old but always good for a smile :) heard it in a 'inner management' video of Sadh

why do people sweat more in chennai???

One of the famous ornament of chennai is its summer!. Everyone here would have at least once talked about its effect and the way they affected. People comes out with sweats flowing from the body is the usual scene of chennai noon. The sweat produced is not just due to the temperature of the region. It is in fact due to the high humidity of chennai. To explain this lets see a fact, people in chennai sweats more than the people in delhi where the temperature is higher than the former. This is because of chennai's location. Chennai is located near sea due to which sea water evaporation is high during summer which in turn increases the humidity (Amount of water vapour present in air). Normally human blood temperature is about 35 deg Celsius. If the outside temperature is more than that, then our system tries to automatically cools down by releasing sweat from the body. The sweat which is released cools the surrounding heat by converting into vapour thereby reducing the body te