Using Python Sonar Scanner Locally to Scan Code Quality

One of the problems of using deployed SonarQube is that it only scans code from the main branch of a repository. Well, it can scan other branches but you need to accept a more advanced plan and be required to payment agreement. A simpler way to scan your code would be by using a local SonarQube. Here is a guide on how to do so.

1. SonarQube and JDK 11 installment

Before using SonarQube, you are required to install the latest or preferenced SonarQube from https://www.sonarqube.org/downloads/. And if you haven’t had JDK installed in your system, you need to install it to from https://www.oracle.com/java/technologies/javase-jdk11-downloads.html

2. Set up SonarQube

To do this, you need to extract the zip of the installment. Then,

• Navigate to ‘sonarqube-x.x.x\bin\<your system>’ folder. <Your system> should be replaced according to the operating system that you’re using, for example, I’m using windows-x86–64.
• Start SonarQube by this command: startsonar.bat

Wait until it has successfully started. And you will be able to go to http://localhost:9000/ in your browser.

3. Set up SonarQube Project in SonarQube Dashboard

In http://localhost:9000/, do:

• Log in to the SonarQube dashboard using username ‘admin’ and password ‘admin’. After logging in for the first time, you will be prompted to change the password.
• Click on ‘Projects’ tab and then click the ‘Create project’ button.
• Enter a unique ‘Project key’ and ‘Display name’ for your project, and click the ‘Set Up’ button.
• You willl need to pick for an analysis method. In this guide, we’ll choose Locally.

• Follow the 2-step prompt by generating a new token, continue, and choose Other for the build and Windows or OS that you’re using.

Now, we have the executor command to be executed later in our project.

4. Download and Install SonarScanner

Download and install the SonarQube Scanner through this link SonarScanner CLI (sonarsource.com). Then, add the <INSTALL_DIRECTORY>/bin to your path in the environment variables. Once you’re done, you can check it by going to a terminal and run sonar-scanner.bat -h . It should look like this:

5. Configure Sonar Project

In your root directory project, create a ‘sonar-project.properties’ file and fill it with:

sonar.projectKey=<your_project_key>
sonar.projectName=<your_project_display_name>
sonar.sources=<your_project_source_folder>
sonar.sourceEncoding=UTF-8

Where project key and project name is the one we’ve configured in the dashboard earlier. Here’s an example of mine:

sonar.projectKey=ppl-a5-backend
sonar.projectName=ppl-a5-backend
sonar.sources=.
sonar.sourceEncoding=UTF-8

6. Execute and Analyze

Copy the executor command that we obtained from Step 3. And paste it to the terminal locating in your project directory. Make sure you are not in any environment (env) in this step. Wait until there are no more running code in the terminal and there is an EXECUTION SUCCESS remark. It should look like this:

Once it’s done, go to the analysis result that is provided in the terminal, which is the dashboard page of the SonarQube. In my case, it http://localhost:9000/dashboard?id=ppl-a5-backend. Now, if you’re using python, there will most likely be a warning to advise having sonar.python. So, as a completely optional step, you can add this code:

sonar.python.version=3.10 # or your python version

to the sonar-scanner-x.x.x.xxxx.windows/conf/sonar-scanner.properties file.

After setting up the SonarQube, analyze your code by identifying and resolving code smells, issues, and other code quality problems.

Here is an example of a code issue that I got for the authentication feature I’m working on:

As can be seen, there are some issues in the authentication/models.py since there is a code repetition. I then resolved it from this:

def get_role(self):
        if hasattr(self, 'worker'):
            return self.role
        elif hasattr(self, 'admin'):
            return self.role
        elif hasattr(self, "sales"):
            return self.role
        return None 

to this:

    def get_role(self):
        if hasattr(self, 'worker') or hasattr(self, 'admin') or hasattr(self, 'sales'):
            return self.role
        return None

After resolving it, I re-ran the executor and this is the result:

There are no longer any issues in the authentication folder. It’s important to note that after resolving any code issues, you need to redo Step 6 again to make sure the SonarQube is up-to-date with the latest version of your code.

References
- How to setup SonarQube in a project on Local Machine. — Soshace • Soshace
- How do you set Python version in Sonarcloud UI? — SonarCloud — Sonar Community (sonarsource.com)