SonarCloud Integration With Spring Boot-Maven

In this article, I am writing down detailed steps on how you scan your code with SonarCloud by locally executing maven sonar.

It’s a very important phase where we should configure sonar quality gates at the very early stage of the development so as to eliminate surprises.

More importantly, if you do sonar configuration at a later stage, then fixing sonar issues becomes more complex due to high code density. Then, you will have to perform more regression and integration tests to make sure that sonar fixes are not breaking existing functionalities. Hence, get sonar configured at an early stage or fail FAST!

Let’s get started.

1) SonarCloud Configuration

• Creating an organization
• Adding a project to your organization
• Generating security token

Before you begin, go to https://sonarcloud.io and create your account.

Once you logged in, follow the below steps:

Creating an Organization

A) On the top right, click on the + icon and select “Create New Organization”

B) You will see the screen as below. Fill up the details and click “continue.”

C) On the next screen, select a free plan and click on “create organization.”

D) You will see the screen like below:

Adding a Project to Your Organization

E) Click on “Create New Project,” and on the next screen, you will have two tabs: “select repositories” and “create manually”

You can select your GitHub repository or create the project manually.

If you don’t have your GitHub project, that’s fine, go ahead with selecting the option, “Create Manually” and enter the below details and click “Create.”

Organization — <Write org name, which we just created on step 1.B above >

Project Name — < any name you like>

Project Key- < this will be value of groupId.artifactId from your pom.xml >

F) Once you create the project into your organization, you will see a screen like below.

Generating a Security Token

G) Click on “Configure Analysis” from the above screen and then you will see the below screen:

H) Generate the token and then copy your token. On the next screen, you will see the option to choose your project language and build technology.

Once you select maven or gradle, it will show you the command to run sonar with maven or gradle, which I have explained below in the “Using the Code” section.

This ends all your SonarCloud configurations, so let’s move on and see how we can generate a sonar report on SonarCloud by running a maven on the local project.

2) Using the Code

You could clone my repo here - https://github.com/BeTheCodeWithYou/SpringBoot-ZeroCode-Integration

Step 1: Add sonar dependency

Go to your pom.xml and add the below plugin to enable SonarQube on your project.

<plugin>

<groupId>org.sonarsource.scanner.maven</groupId>

<artifactId>sonar-maven-plugin</artifactId>
<version>3.3.0.603</version>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>sonar</goal>
</goals>
</execution>
</executions>
</plugin>

Step 2: Run the below command to scan your code against the SonarCloud Server

mvn clean verify-P sonar \
-Dsonar.host.url=https://sonarcloud.io \
-Dsonar.organization=<organization-name created on step 1.B above> \
-Dsonar.login=<token generated on step 1.G above>

Step 3: Analyze maven output

You will see that the code is compiling and all your test cases running

Spring Application starting and running all the integration test cases written using ZeroCode framework.

All your test cases passed and now maven sonar plugin doing the magic and scanning your code against sonar rules.

You can see in the highlighted text that sonar sensors are running on the code, like JoCoCoSensor, checking Vulnerabilities, Java securitySenor, etc.

Finally, you see that the build is a success, and you can see the report on the SonarCloud.

Now, notice that on the SonarCloud, you can see your project is now showing up the code quality metrics. Just refresh your project on SonarCloud and see the below metrics.

Click on the project and look into the details of the reported issues,

Fix issues and run mvn sonar again on the local. When you see that the code is clean, you are all good for commit->push.

Hope this helps. Leave your thoughts in the comments section.