The Sonar team is proud to announce the release of Sonar 2.13. This new version includes 60 improvements, bug-fixes and also some new features that we believe are worth stopping your daily work for a couple of minutes to check out : ability to create manual reviews / violations anywhere in the code, ability to create action plans and an extended search engine.

Extended search engine

The search engine will now return not only projects but also modules, package and files. A picture is worth a thousand words :

Add a review on any piece of code

Whenever a quality defect is detected “manually”, the person who detected it has the ability to inject a violation directly into Sonar:

The related violation is then displayed within the source code and will be accounted for in metrics after the next analysis of the project:

Action plans

Action plans can be created to group reviews together.

An action plan can be associated to each violation

And then it is possible to review progress in a widget of a dashboard

Hotpots 2.0

The previous release allowed to use hotspot widgets in its own dashboards (see Sonar 2.12 in screenshots). It’s now possible to customize, rename or even delete the default dashboard named “Hotspots”.

Time now to give a try to the new version and to read the installation or upgrade guides.

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

Sonar and JaCoCo
By Raghu, 1 December 2011
I am a fan (and regular user) of Sonar, a platform to manage code quality. The 2.12 release of Sonar, which happened yesterday, introduced a bunch of new features including Java 7 support and the availability of Jacoco into Sonar core.

Industrialiser vos projets Flex avec Hudson, Maven, Sonar, FlexPMD et FlexCPD
By Fabien Nicollet, 5 December 2011
Dans le monde Java, il existe de nombreux outils permettant de vérifier l’intégrité de votre code (tests unitaires) mais aussi pour vous assurer que la qualité de votre code est respectée. Ces outils vous permettent d’assurer la robustesse des applications que vous créez.

My Testing and Code Analysis Toolbox
By Jens Schauder, 11 December 2011
Last week we kicked of a “Testing Skill Group” at LINEAS, a group for exchanging knowledge about testing. One question that came up over and over again in various flavors was: What tools are there for testing and analyzing your code? So here is my personal answer for this, in the approximately order I tend to introduce them into projects…

Open Source & code Legacy
By Jean-Pierre FAYOLLE, 18 December 2011
There are more and more solutions of analysis of code which allow to measure the quality of your applications. Most are sold by software vendors, and we had the opportunity to verify that these solutions are expensive to buy, to implement and to use (Disposable software). In response, the last decade has seen the rise of the Open Source alternative to proprietary software.

Flex + ( Ant | Maven ) + Sonar
By Jozef Chutka, 5 December 2011
The title may sound like there are two possible ways how you can have your source code analyzed and published to sonar, but you better do not rejoice prematurely. After spending couple of hours trying to figure out how to make it work using ant I may have hit some nice articles, however sonar-ant-task seems to have major issues with sonar version 2.8. The solution is maven!

Most IT people know Thoughtworks and its charismatic technical leader / evangelist Martin Fowler. But probably fewer know the Thoughtworks Technology Radar whose first publication was done in January 2010.

According to their authors :

The ThoughtWorks Technology Advisory Board is a group of senior technology leaders within ThoughtWorks. They produce the ThoughtWorks Technology Radar to help decision makers understand emerging technologies and trends that affect the market today. This group meets regularly to discuss the global technology strategy for ThoughtWorks and the technology trends that significantly impact our industry.

In its last publication (July 2011), Sonar platform made its first appearance in the “Assess” circle : “Worth exploring with the goal of understanding how it will affect your enterprise”

Of course, SonarSource team was very proud of this but this is not the point here. Indeed, Sonar is a platform to manage quality among other platforms that have been around for a while : CAST Software, McCabe, Klocwork… So why adding now a QA tool to the radar and why choosing Sonar ? Is this because of its growing open source community : 5,000 downloads and 1,000 emails by month ? For its multi-technology capability in Java, C#, COBOL, PHP, PL/SQL, ABAP… ? Is it for is governance extensions: SQALE or Portfolio Management? Maybe, but I am pretty sure that an additional reason has led Thoughtworks experts to make this choice.

From inception, Sonar was not developed as “just yet an other quality reporting tool” but as a mean to continuously manage and fight back technical debt. This might sound like a subtle semantic difference but this actually makes a big difference. SonarSource team has grown with Agile methodologies and with those methodologies, source code is always very much in the center of focus: it should be able to mutate constantly over time to embrace changes. This key capability to do refactoring at any point in time is so important that the Technical Debt metaphor was early introduced by Agile practitioners.

After 4 years of development and 38 releases of Sonar we, at SonarSource, deeply know what “Change” means! In such evolving context, processes, planing, documentation, specifications, … they all matter but what’s about source code ? Some would like to consider source code as a black box without too much value whose development can be easily outsourced. With such an approach, the goal of a quality platform is just to report from time to time how well a blak box comply to some pre-defined quality standards. We do think this is a mistake !

Source code should be considered as a white box that each stakeholder (developer, project manager, IT director, quality consultant, customer, …) can look at any point of time to understand what happens, to initiate discussions and to make decisions. What ever is the quality of your processes, documentation or specifications, bad code will always lead to failure. Therefore when bad code is injected, it should be immediately detected, fought back and analysed to understand why this crappy code has been injected. Waiting several months to detect technical debt is a huge waste as per Lean principles.

Adopting Sonar means much more than simply installing a tool to comply to some QA or security standards … it means that quality of source code really matters and that the ability to daily manage your Technical Debt is key to sustain a continuous delivery approach and to embrace business changes: Continuous Inspection has entered the game !

The Sonar team is proud to announce the release of Sonar 2.12. This new version includes more than 100 improvements, bug-fixes and also some new features that we believe are worth stopping your daily work for a couple of minutes to check out: Support of Java 7, Integration of JaCoCo in the Sonar core, Hotspots 2.0 and Display groups of duplicated blocks.

Hotspots 2.0

3 new widgets have been created that enable to embed hot spots into a project dashboard: most violated rules, most violated resources and hot spots on a specific metric. We continue the “widgetisation” effort of of all Sonar UI components in order to sooner or later provide full customization capability of the Sonar UI.

Support of Java 7 Syntax

This was a great opportunity to collaborate with both Checkstyle and PMD teams in order to help them support all java 7 language changes : Strings in switch statements, try-with-resources statements, improved type inference for generic instance creation (“diamond”), simplified varargs method invocation, better integral literals, and improved exception handling (multi-catch).

Integration of JaCoCo in the Sonar core

JaCoCo is now part of Sonar core, along with Cobertura. This means that not only can the coverage by unit test be calculated by JaCoCo natively, but also that coverage by integration tests is now much better integrated. Results are displayed in the same page than coverage by unit tests :

Note that Cobertura is still the default engine … but that’s just a matter of time to make Jacoco the default java code coverage engine. Just need more feedback from the community to make this switch.

Improved Display of Duplication Blocks

The ‘Duplications’ tab in the code viewer has been fully refactored to make it far more usable :

• Duplication blocks are visually grouped in case of “truplications” or more
• A code snippet is displayed by default on each group of duplicated blocks
• Duplicated blocks on external files can be seen without leaving the page

Don’t forget that since Sonar 2.11, the default PMD CPD engine has been replaced by the Sonar CPD engine which brings a unique feature : ability to track duplications across projects.

Project Events Management

The events management has been greatly improved to make it easier to use from the History page introduced in Sonar 2.11.

Time now to let you give a try to the version 2.12. Release notes are available in the download page. Reading the installation or upgrade guides is much recommended.

Welcome to the roundup of blog posts and pages that mentioned Sonar last month…

Code Quality Analysis in Deployment Pipeline with Gradle, Jenkins and Sonar
By edvorkin, 31 October 2011
Sonar is a tool that integrate a range of quality analysis tools into a single website. It provide one page visibility into quality of project source code. Developers and managers are interested in test coverage, code duplication, adherence to coding standard, cyclomatic complexity of the code and several other parameters…

Intégrer l’outil de supervision Sonar à Team Foundation Server 2010
By Maxime ARNSTAMM & Simon Lehericey, 13 November 2011
Comme on l’a montré dans l’article précédent, Sonar est l’outil indispensable pour évaluer la qualité des projets d’une DSI au fil de l’eau.
Dans cet article nous aimerions présenter l’installation de différents composants de l’analyse Sonar et comment l’intégrer à votre usine de build TFS…

Lunch-N-Learn Ideas? Use Sonar Hotspots
By Clint Shank, 23 November 2011
Are you eager to get your team together for a lunch-n-learn with free pizza (and beer), but can’t come up with any ideas on which to present?

Or maybe you just want to get heads down and make some high impact, quality improvements to your code base, but don’t know where to start.

Setting up Sonar analysis for C# projects
By John M. Wright, 25 November 2011
In an effort to better understand some of the problematic areas of the C# codebase I work on, I recently setup an instance of the Sonar code analysis platform. Sonar is originally written for Java analysis and later added C# support. This posting walks you through my experience attempting to setup, configure and run the analysis.

SONAR – manage your code quality
By ShamanOfJava, 10 October 2011
Sonar is an open platform to manage code quality. It covers the 7 axes of code quality. Sonar supports a wide range of programming languages such as Java, C, C# etc. Through this article, we are going to see how to set up a Sonar Server and how to integrate a Java Project with it.

Measure Code Coverage of HtmlUnit Based Tests with Sonar and JaCoCo
By deors, 20 October 2011
This blog post is the third one in a series about Integration Tests with HtmlUnit. Finally, in this post we are going to show how to measure code coverage of HtmlUnit tests using Sonar, the popular Continuous Quality Assurance tool, and JaCoCo, a very interesting code coverage tool based on JVM agents instead of instrumenting bytecodes.

Separating Code Coverage With Maven, Sonar and Jacoco
By John Dobie, 23 October 2011
In this example I will expand upon my previous example of keeping your unit and integration tests in separate packages, and explain how to also produce code coverage statistics. For this I continue to use Maven, whilst adding Sonar and Jacoco to provide the code coverage.You can run the example below, but you will need to read the first article here to understand it.

Testing the new Sonar plugin for Gradle
By Luciano, 28 October 2011
If you were looking to convince your boss that Gradle is worth a try for your next project, look no further. Gradle 1 release candidate 5, released on October 25, brings the long awaited Sonar integration, and it works ridiculously well. How well? How about a one-liner.

A Free EC2 Cloud Server With Ubuntu, Jenkins And Sonar
By John Dobie, 29 October 2011
This example shows you how to create a free Amazon EC2 cloud based continuous integration and testing environment on Ubuntu. This is a low power server but it is useful for infrequent use. I personally tend to recommend Cloudbees, but this is handy when you need a free Sonar instance.

Code Quality Analysis in Deployment Pipeline with Gradle, Jenkins and Sonar
By Eugene Dvorkin, 31 October 2011
Sonar is a tool that integrate a range of quality analysis tools into a single website. It provide one page visibility into quality of project source code. Developers and managers are interested in test coverage, code duplication, adherence to coding standard, cyclomatic complexity of the code and several other parameters. Sonar is an open source product and can keep all your code metrics in database, as a matter of fact, in any relational database.

At SonarSource, we like eating our own dog food as much as possible. This is not always the case in software development, but in our case since we develop software for software companies, we can do it. We therefore have an instance of Sonar that analyses all our products daily. We’ve been using it for quite a long time to monitor code quality using features like alerts and SQALE indicators (Technical debt). We have defined a quality gate for the ecosystem that is fairly simple: the SQALE index must be A, the technical debt must not increase between releases and there must not be blocker or critical violations.

This quality gate is good to have but not efficient enough because defects introduced during a sprint have to be fixed all at the end. Instead, they should be fixed as they appear for better efficiency, similarly to code fix when a unit test breaks in continuous integration: this is what we call continuous inspection. We have done a lot of work this year to be able to provide better support for Continuous Inspection in Sonar and have added several services : differential views, SCM information and manual reviews integrated with email notification and with Sonar Eclipse. Manual reviews is really the new hot feature to complements existing services and making code reviews more effective.

How does this all fit together ? Well, this is the subject of this post… Get your Sonar 2.11 started, open Eclipse along with Sonar Eclipse 2.1, and follow the guide!

Develop, test, commit… and sleep well!

Managing code quality is like handling non-regression: while developing, one should not worry about this – a process should do it and notify you in case of an issue. You know already that you can refactor your code serenely because a continuous integration server will check that you did not introduce a regression, don’t you? Same applies when you improve a feature, the integration tests will make sure that you did not break anything, right? Similarly, you can feel comfortable when you think about quality of your code, Sonar will take care of it for you.

If you wish, you can also use Sonar Eclipse during your development to run local analyses and get realtime feedback. This is not yet optimum since you can only run full analysis and we are working hard on supporting incremental analysis.

Morning: code review time

After a good sleep and a cup of coffee, the first thing you want to know is how well you coded the previous day : log into Sonar and activate the “since previous analysis” differential views on your project: in a second, you see if new defects have been introduced. Those may identify – for instance – potential bugs, too complex classes or insufficiently tested methods. But whatever those violations are, you know that they increase the technical debt of your application. Fixing a violation is like fixing a bug: the sooner, the cheaper – as the context of the violation is fresh in your mind.

To track the newly introduced violations, use the differential violations drilldown. For every newly introduced violation – there shouldn’t be too many as you become more and more familiar with quality rules, create a review and assign it (or – when appropriate, flag it as false positive). If your source configuration management tool is supported by Sonar, finding the developer who introduced the violation is even simpler as his identifier appears next to the violation (as long as you installed Sonar SCM Activity plugin).

Though this process should only take a couple of minutes and will maximize the efficiency for reducing the technical debt, the ultimate objective is to provide a mechanism to notify the person who introduces a new violation.

Before developing again, clean your code

Once you’ve created all the reviews for the newly introduced violations, you can get back to your favorite IDE. But before starting coding, maybe you’d like to fix defects that you introduced the day before, wouldn’t you?

If you’re using Eclipse, you are lucky: Sonar Eclipse provides a very efficient way to work with reviews. Thanks to its Mylyn connector, Sonar Eclipse brings all the reviews assigned to you right inside your task view in Eclipse. There too, in a second, you see all the reviews that you have to work on. Open a review, click on a link to open the corresponding file, fix the defect and resolve the review to “fixed” so that it doesn’t show up in your task list any longer: this is that simple to fix a violation! And if it turns out that the fix is not obvious, you can start a thread of discussion on that review by adding a comment.

If you are not using Eclipse, you can still get notified when reviews are assigned to you. Just log into Sonar web application with your account and go to “My Profile” page to activate the email notification for reviews. This way, you won’t miss a single review assigned to you! Actually, you should probably activate email notification in both cases: indeed, if you created a review and assigned it to someone else, you may want to know if the review has been solved, or if the developer added comments on it.

And what about reviews that have been fixed?

Sonar handles code quality for you, but it also makes sure that fixed reviews have correctly been handled. During the next analysis, for each fixed review, if its corresponding violation has actually disappeared, Sonar will set the review to “closed”. If not, Sonar will reopen the review: in the morning, you will then see it again in your task list (or receive a mail) with the “reopened” status.

If you want to monitor more reviews – not only yours, you can use the Sonar review service that allows you to query reviews against their author, assignee, status, resolution, corresponding project or id.

That is it! This is how we are using differential views and manual reviews to run an effective continuous improvement process. Of course, you can adapt it – or even have a different one, to meet your needs. But keep in mind that the most important is to be sure that technical debt is under control!

More features are coming tu support Continuous Inspection further: create reviews on any code, filtering newly created violations by developer… Stay tuned!