Skip to main content

SonarQube LTS comprehensive study and 6.7 evaluation

https://www.sonarqube.org

The elegant and comprehensive static code quality analysis tool's latest LTS - 6.7 was out by end of 2017. From LTS stand point of view every version shows significant improvement from the predecessor, in case of SonarQube there have been three LTS so far, 4.5; 5.6; 6.7. Sonar, as it was called when it was started had a very humble yet powerful thought of analyzing java code with existing static code analysis tools like pmd and findbugs and persisting the report in database. This opened new opportunities for PMO and people concerned with productivity as it preserves history of project.

But Sonar was still only helpful for java developers and was almost exclusive for maven. By becoming a part of Codehaus projects it became more popular among maven community, around the same time they were recognized with Jolt award. Sonar started getting more attention, and they indeed lived up to it. Sonar soon incorporated other languages analyses into their arsenal. An interesting decision was made at this point, they ditched their approach of being aggregator of static code analysis tools to becoming an independent one. This move was in-fact essential and important for being one stop static analysis solution for all programming languages.

SonarQube 4.5 LTS is the first version that broke out of "java as first citizen" cocoon to give multi language support under single project and implemented SQALE methodology for calculation of technical debt. The version also marked the step towards establishing themselves as for profit organization, as they started offering commercial plugins for language analysis and PMOs (governing and report generation). Writing custom rules for SonarQube became elegant as they started using their own AST instead of using Pmd's AST, I have written about 50 on my own and it would have sucked big time if I had to use Pmd of XPath of Pmd! AST or Abstract Syntax Tree is how a code traversals through another code, its very intriguing to think of something like that ain't it. The Enterprise offering demanded availability and SonarSource came up with first Active Passive clustering guide. IDE plugin initiative helped them move away from the label of blamer, as developers can perform preview analysis in IDE itself before committing new changes and bugs. As far as architecture is concerned inclusion of Elastic Search improved search.

SonarQube 5.6 LTS made considerable amount of changes from architectural stand point to support changes at different level. Clustering was foremost, as SonarSource started offering cloud solution; even before this they had https://nemo.sonarqube.org/ which was more of SonarQube's demo which was primary used by open source project; I gave it a go when I presented SonarQube for Chennai devops community. The pre-commit analysis was expanded to support comments under source code repository, it was cool both in paper and in action. If you are working in big organization or open source project and kept getting pull request this was a boon for you, as it helps product owner to decide it the new pull request is to be merged with development branch - my trial. Most important change is the decision to split analysis into two phase, one at analyzer - mostly your CI engine and the second inside SonarQube's compute engine. And the UX improvements and re-organization of rules based on categories as one of bug, vulnerability or code smell from previous categorization model based on 5 level severity, also this gave every fresh look and feel.

SonarQube 6.7 LTS marked the arrival of aggressive commercial versions of Open Core SonarQube. The pricing was changed from edition based to LOC based from SonarQube 5.6 itself but that was only going to help small organizations but the new change was made at Compute engine level so as to force organization to move to enterprise version if they have multiple projects continuously analysed. And this is why careful evaluation of your needs and your budget allocation is required before proceeding with SonarQube 6.7 LTS. From Technical stand point SonarQube introduced branch analysis, i.e., you can continuously analyze your regular release made from trunk or master branch and also keep track of feature release being developed in different branch, neat isn't it. Also Sonarlint the plugin for IDE was better integrated with SonarQube or SonarCloud by having improved notification mechanism. Elastic search was upgraded improving the already smooth search experience.

So what is to be evaluated? SonarQube 6.7 sound awesome right? Yes, in-fact now more language has received first class citizen status along with jvm based languages, js and c#; also php, python, flex are all invited to party. So the hitch? compute engine, did not explain on purpose; before compute engine all he analyses and data writing happened outside Sonarqube server. Server essentially was an instructor on how to analyze and where to store, analyzers did all the heavy lifting, SonarQube server concentrated on displaying issue and managing action plans and so on. With Compute engine, SonarQube server became active participant in analysis stage also by taking over the job of persisting data. This control was leveraged in new LTS, from now community version will only support sequential data persist and thus putting a block on number of parallel analysis happening at a given point of time - only one project can be persisted you have to pay more for parallel persistence of analyzed data. On average Compute engine takes 2 seconds to 5 minutes to analyze a project even bigger once if you can tolerate this you can go ahead and upgrade/start using SonarQube 6.7. If you are huge organization and you use SonarQube as a center piece with it analyzing 20 plus projects every hour then consider upgrading to Enterprise version. But before moving to commercial landscape you might want to make yourself familiar with Kiuwan, Checkmarx, Fortify as their offerings puts security along with static code analysis. But when it comes to static code analysis SonarQube is still perfect with report accuracy. 
Labels:

Comments

Post a Comment

Popular this month

Puththu kovilum Putho tilesum, as they are built

Its the grand Aadi season here in Tamil Nadu wherever you go you'd be followed by awful noise from no mercy speakers masqueraded as a devotional song. Yes, this is the first post dedicated to it. Hindu is not a religion but it's idealism, a way to unite people, that's perfectly constructed by assuming separate task to every God, no single God worship. Hindus moved from nature worship to idol worship, but that doesn't mean that we don't have nature worship we have created an idol for them and continued to worship them in a different form. Snake is a beautiful reptile, I have made friend with few too... Our ancestor found the natural law, 'every living creature on earth is important for the ecosystem to be balanced'. Maybe to make sure snakes are not killed fearing their venom they made them as God too! Not just idol snakes, they are worshipped as they are at their  conquered (from rats and termite)   nest or  puthu . Puthu as it used to be in open
Post a Comment
Expand post »

Up and Close with Sudalai Madan: The Encounter

Night of 13th April all the preparations for the rituals were done in the temple, Sudalaimadan swamy was decorated with flowers, fruits and coconuts; the dedications reached above his chest. My cousin Sudalai Muthu, senior priest of the shrine reached home by late-night got blessings of his father Late Shanmugam Sundaram also previous head priest and blessed the family members in room dedicated for God, then started towards the temple. People have already gathered in huge numbers and were waiting for the Sudalaimada Swamy's arrival at Temple. Different rituals were offered by people to the Lord in order to get the blessings. As it is believed Sudaimada Swamy, the son of Lord Siva used to consume meat in Kailash for this reason he is sent to earth, where he can satisfy his earthy hunger thereby not polluting Kailash. Sree Aaladi Padmanabha Sudalaimada Swamy Temple, Kumarapuram Offering meat to Sudalaimadan is the most important and watchful event of the festival. Many devotees off
Post a Comment
Expand post »

It doesn't have to be crazy at work

It doesn't have to be crazy at work, is the book with that title. The title is almost clickbait, but the gist is printed straight up on the cover of the book; they didn't even wait for the blurb. Jason Fried, the CEO and David Heinemeier Hansson, the CTO of 37Signals (formerly Basecamp) co-authored this book. This book was gifted to me by whom I'd consider to be a mentor because he caught me working "crazy at work", it is rare to see such people who are more inclined to see you as a person instead of a number, he seemed to have taken guidelines from this book to heart, and I'd say it is a good change in this cut-throat corporate. This is yet another book discussion, it is almost as if I am picking books to only learn and not review them; I'm not a reviewer, and I do not have any affiliate account setup that will earn me commission; I'm just going to discuss the ideas that I grasp from the books I read, on to the book The book is about how crazy the wor
Post a Comment
Expand post »

The Difficulty of Being Good

This is not a book review, rather a discussion or an elaboration of what I understood from this book. The author, Gurcharan Das starts by claiming that his path to this book was rather unintentional since he was only trying to settle into his " Vanaprastha " life. He discusses the  goals of life and how every stage of life connects with many goals at the same time. Head on from chapter 1, we dive into the core of the book, "Dharma" the main goal of a good life well-lived apart from 'Moksha'. The best thing about the book is that the chapters are arranged such that Mahabharata's chronological narration is undisturbed, chapters are character-centric and thus dharma is approached from various points of view and Mr. Das never stops throwing questions at us and subtly answering them.  This book could not have come to me at a better time, I considered it non-intrusive advice from an elderly vanaprastha. The sub-text gives away the plot, almost, "The subt
Post a Comment
Expand post »

Product of Govt. aided School, but does it matter?

I started my work life in an MNC, Tier 1 IT service provider. I worked with clients directly since I was able to understand and speak their 'accent'. My second employer is an Italian bank where both my Indian and Italian colleagues praised my spoken, never mind that I almost always fail to communicate. It is funny that I picked up the accent from American sitcoms and cartoons and didn't undergo any sort of training.  I can hear you say "stop this nonsense bragging blog", I will after I manage to sell you the idea 'schooling is important, but schools or education boards are not'.  But why now? why not 2011? when I got the job and the girl? Probably that is the highest point in my life why was not be boastful then! why now? - Again I'm not boasting I'm only trying to convince myself and you, of course. This idea had its inception long back, 2007 was my first year of college I was considered to have a fairly high standard of communication skill in c
Post a Comment
Expand post »