Static Code Analysis
- Static Code Analysis focuses on
- Coding Standards
- Best Practices
- Security Checks
- Code Coverage
- To perform Static Code Analyis we will be using Sonar Qube.
- Sonar Qube can be installed on any linux/windows instance Refer Here
- Refer Here to install sonar qube on ubuntu 22.04
- For this class purposes i would be using Refer Here
- We have a Jenkins master with 4 executors and node with 4 executors.
- Jenkins master has JDK 17 and Maven where as node 1 has JDK8, JDK11 and maven
- We have two free style projects of java (build,test, package)
- We have two declarative projects of java (build,test, package)
- To integrate sonar qube with jenkins Refer Here for previous blog article and [Refer Here](https://docs.sonarqube.org/latest/analyzing-source-code/scanners/jenkins-extension-sonarqube/#:~:text=Configure%20your%20SonarQube%20server(s,as%20a%20Secret%20Text%20credential.) for official docs of sonar qube
- Install SonarQube Scanner Extension
- Now login into sonar cloud/sonar qube and generate token from Account => Security => Generate a new token
-
Now Add SonarQube Server to Jenkins
- Refer Here for the declarative pipeline to perform sonar analyis for spring petclinic
- Refer Here for sonar qube with jenkins and Refer Here for azure devops
- Once we scan our appliction with sonar qube we get the report which is accesible from jenkins
- To make code secure organizations add more rules than what exist by default Refer Here
