Sonarqube Tutorial Part - 01 out 06

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this conference will now be recorded this conference will now be recorded Okay so so the first question is what is sonar cube right So when you say Sonata you can think of this as a quality management tool yeah it's a quality management tool now management means you understand tool means understand with then here when we say quality then what call what quality we are talking about so so when you are talking about the quality basically we are talking about the code quality that is the first thing and then we are talking about the test part okay so code quality and test quality so at sonarq you are managing the code quality we are managing a test for it now the next questions you may have how can we get the code quality how to get the code quality how to get good quality so now there is a process one process which we have that is called peer Food review okay peer Food review means anyone would like who's your senior who has better experience are than yours so he will review she will review a code and get your done our work done now second method which we have is called Static portrait static Food review is the one where you need to understand uh static code review port would do the review yeah would would review are you understanding this line yes yes yeah so you have a code itself which would do the review so here the static code review is not uh dependent on any human being uh it's a code will be there some code which will review the code now this code can I call it the rule can I call it to so this rule would would review the code okay now one rule will do one check okay one rule will do one check can I have multiple rules and then review the code so for multiple check I will have a multiple code uh so we we call it rules would review the code and all their rules can be make it can we call it uh can we group it together and say one tool we give some name okay and then tool to review the code so basically here in static coordinates is there is a there are multiple tools are available which has a rules rules are nothing but a code which we do the review are you understanding all of you yes yes so now the question is okay fine now what are the static code review tools we have so I'll go to the internet list of static code analysis tool I'll put it up and here there is a Wiki page okay so this is a comprehensive list of tools you'll get it and if you see that here in this page ask for the different different languages so many tools are so many tools but different different check Security check maintainability check code box to different different kind of check I mean so many tools actually okay so these tools which helps us to do the static code analysis of the code and that is how we get the code quality okay understood yes so now the question back the sonar Cube so sonar Cube manage quality of code generated by Static code review tools is management capability okay so now yes it's a management Tool uh this is uh from the company which is called sonar source okay uh they have this particular product is developed in Java so the moment we say Java that means you know that it will become a platform dependent that means store you can install anywhere you can install in Windows you can install in Linux you can install in Mac wherever you want to show and also in order to install this tool you need to have uh Java installed okay [Music] you need to have a Java installed and that so yes quality management tool from sonat Source developed in Java now they have a multiple religions actually okay so one of the release which we have with community okay and then another release which we have is developer leech and third one which we call it Enterprise linkage okay so Community release is free development and Enterprise is paid okay this is also paid and this is also great now you will ask what is the difference between all these release so the software is same okay software is same but in terms of static rules there are supports different so see that here uh this is a Community Edition which I'm covering today then developer and Enterprises okay Enterprise itself is is a data center for high availability and also so Community Reach you have everything here this is importantly static code analysis for 17 languages okay so now if you go for developer release you have little bit of more support for the different languages and plus you have some some rules to detect the security issues related or not an Enterprise you have multiple reports mainly this reports you can get it free of first and support for this extra line okay so if you want to compare this is the place to compare okay so now we'll focus on the Community relation now what is a version so latest version which you can see here is 9.8 here and this is something which you have to learn so this is at the introduction of sonar any question so far thank you any question so far hello I'm Audible yellow yeah hello yes yeah that's one question we will cover also the developer and Enterprise and this training right our trial version is available okay we will cover right because As I understood for security rules you need you will not be able to find them in the the free edition yeah so I'll the moment you cover the community uh this one now then you will find this is not a great thing but anyways if you want we'll cover but there's no see it's just the rules so you just understand the community first and then you'll see that this is nothing but uh the moment is to all the developer editions you will have these three rules available uh what is the rules now we'll need to understand that in little bit okay but let's say the Community Edition you will get the a wasp rules inside it uh which rules the O wasp or wasp yes so obvious rule you can get it from the Google also I mean I mean lots of community have uh configured this rules but let me tell you here this is a Developer Edition Enterprise Edition is paid one so I will request for uh trial version but most of the time they give you the trial version only for the organizations okay so I'll can request if I get I can show you but I cannot take a short because this not under my control Developer Edition uh trial most of the time trial they do themselves actually in in fact you cannot try actually but when I say this features the moment is uh the moment is to all the Developer Edition and Enterprise editions uh these rules will come now the question is how to use these rules this I'll show you in the community Edition in the community editions only all the features are available the limitation is uh if you have a license I can demo it but they do not give the license to everyone paralysis got okay yeah and here you have a reports that means the same software uh multiple reporting will be available which you can generate a report and share with a manager so this is the stuff now let's move on test quality so now the case next question is how to get test quality so this is something which we'll discuss after the code quality but here just to give you idea uh we do the testing okay you do the University Testing sort of testing and then after that we do the acceptance testing and after that we do the code coverage okay and this coverage reports this coverage reports is nothing but a test quality okay so what is test coverage which are the tools available for test coverage and how do we share this test coverage reports code coverage reports at sonar will discuss after the poor quote okay meanwhile you can also study a little bit of code coverage process and the list of tools so I'll give you some assignment what each code coverage and list of tools for code this is the two things if you can get it as a background then it will be easy for you to understand this and but sooner makes sense yes okay so now next thing is uh how sonar Cube works okay that is a stuff you can also call it architecture sonarq architecture architecture the first thing which we have is sonar Cube server okay so not give server now sonar gives server you have a web front and then then web front talking to the database front okay so now web front is developed in Java HTML Java CSS JavaScript and so on when you say Java means some Subway pages and stuff like that now backend is database so database it can be Ms SQL by default it's H2 database okay it can be Ms SQL it can be Oracle it can be postgres also so any rdbms which is supported by database okay so uh default is you will whenever install the sonar Cube you will find H2 database all these are rdbms okay relational same database management system and web front now few more component you will see uh add-ons what are the add-ons you'll see so add-ons you'll see here elasticsearch okay Bureau elastic search yes yeah so for elasticsearch uh is been embedded in the sonar Cube for what so for site searches so when you want to search the site then laptop use this they are using elasticsearch now the moment we talk about the elastic set and you know the elastic search you cannot run with the root user that is a not possible so here sonar Cube cannot run as a group user mind it because of this limitation only because of elastic search okay so cannot run as a root user so you have to use a normal user to run sonar okay apart from that this is the things now here how it works so let's understand this whole things how it works uh before that I will show you one more thing which is important and this is called sonar cubes scanner now what is scanner sonar Cube scanner so sonar give scanner is a even utility okay this standard is one utility who would scan the code scan the code and generate reports okay few other stuff also has been done I will discuss inside and the last thing which you need is source code okay source code with source code so you need a source code for doing the analysis okay so different different source code you needed for doing the analysis now how it works I am going to explain it to you so let's see this picture very carefully and it's very important so this is your laptop okay I'll just write a laptop and here this is your server sonar Cube server thank you now if you see that here sonar Cube server primarily will be divided into three part so here primarily I'm not showing you all features okay so here you have rules collections of rules now what is the rules I have explained somewhere here so I hope you you understand this correct now hello yes yes it's clear you can proceed yeah now here you have a database now which database this data is the one which I have put it up here and this is a web this is the web means you you interact with you means any devops engineer or any developers those who wants to have a feedback of the source code you accept the dash the dashboard now in the laptop what you have so here you have a code so this is the code okay this is the code and then there is a one more thing which we have is called scan okay that's kind of now you can use it scan now how it works for understanding please hear me out very carefully what you need to do scanner is always there in the the place where you are poor you remove that so here you will run scanner on the source code this code can be anything okay the moment you run the scanner and the source code what scanner will do scanner go to the sonarq server and fetch all the rules download the rules and apply on the source code okay so it happens whenever you run the scanner on the source code this scanner is going reading the code first read the code what kind of code you have and there is a property file which in the code I'll show you that say read the code and after that it go to the sonarq server it can be in a different machine uh and then you download the rules and download the rule Supply on the code and after that it generated reports this reports you have a certain formats schemas and all and this reports is getting stored in the database and from the database this you do continuously and this database so that reports on their dashboard and then you get to know who's the person who's making a mistake what is mistake when it was introduced how to fix it and blah blah blah understood yes one question you said it will download the rules locally on the laptop yes and that will delete it will delete them later on what it will finish no rules are very small one so it will create a cache copy if you want to delete uh manually you have to delete it that's not a huge thing yeah my question is let's say uh if you download the rules you can scan offline or always you need to be connected so uh scanner need to be always connected with because lots of thing is doing no downloading publishing the database I mean uh reports to the database right lots of things too so here this is the one flow after that second third fourth fifth sixth so scanner is doing all sixth thing here I did not tell you in detail because I didn't want it to confuse you okay so all this thing is done by who scanner when when you do the step number one so that means the moment you run the scanner on the code the rest of the things will be done clear yes yes so scanner is a small utility it always recite a place where you are sourceful now think in a architecture way this scanner with this laptop it can be a build server also where you are doing the build through Jenkins and all it's not only necessarily it is it has to be laptop it can be built server in a CI CD okay so that is also possible so remember that whenever you set up a build server code and scanner has to be in the same machine now scanner there is a different different types of scan okay what are the different types of scanner so right now today the demo which I'll show you the I'll show you the demo of command line scan but because we have a multiple day sessions so each day I'll show you the different different scanner so you get a get a confidence so one of the scanner is CMD scanner CMD means command line another standard we have is another scanner another scanner you have for Jenkins them another we have for uh azure devops are you using a job no no okay so these are the types of scanner actually you know we call it these are the types of scanner but actually this scanner is uh having only one code and that code is jar files whether you go for CMD or Maven or Gradle or uh Jenkins or a Joe devops they'll have a Char files um but you can call through Maven or cradle or Jenkins we have a plugins for it and Azure devops we have some exe5 exe means x25 so like that so ultimately it's a jar file only okay so that is it so how it works you have understood correct yes okay great so here in this one I'll share with you this image into our subject okay so now we have understood now the question is how to install it as I said uh you can install sonarq server anywhere that's not a problem so I am going to install in one of the wheels so uh let's use this machine first monarchy root password is rajesh123 okay so now what is the IP address IP address for this is eight so putting 192 168 one dot date root Rajesh one two three now popular if this is the one now I need to pack I need to package to install it so here you can download for free okay and this usual job also you can download but you need a keys license key without that will not be activated and this also but the problem is the key there give it or maybe trial key they give it only for the Enterprise that is the only challenge so and you can request if you can get it you can use this one also so how do we how do we download this one so I think I have downloaded already let me check uh so as I said you cannot use a root user for Suraj I have one user which is called Rajesh and here I have this one the problem is this is a i demoed last time I will delete this okay so because I want to store from scratch the problem is let's say package so no problem let me click on it and get give me the package which is the zip file I'll just cancel this double look at end now this is the package which we are trying to download okay so meanwhile the package is being downloaded what we are going to do we are going to see that all this version of scanner okay so can I go ahead and show you so here sonar Q scanner okay let me share the here the URL how to download this is the one sonarq server you get it and scanner if you want to download This Is The Place you have now okay so you see here a Gradle dot net Maven or Joe devops Jenkins and scanner this is the command line this file we are not using nowadays this build tool earlier we were using so this is the scanner you can download so these are the faces let's see if I got it okay it's not coming so I'll not wait for it and click manually Let It Down okay now I have a there's a some check connecting so what I will do I'll go and use the move up for uploading this ssh192.168.1.8 specify Rajesh thank you now I will upload let me see if the download has completed or no it's not completed so almost done okay so now I need to install the Java so I'll cancel this I don't need anymore so Java so Java is installed but let's say if you want to install it as for your platform so here these are the easy install available Java install this is the one so I am using the Centos right so Centos here so you can install using this command interface these are the open jdk so you can get it now this URL I am putting in the notes I'll share that so good to go now I'll upload this file uh this is the sonar Q which I downloaded that and here here now I got this file now what I am going to do unzip this file and then now here if you see that sonar Cube if you go inside this now this is the elastic Stitch okay if you are using no external database like msql postcardinal law so default is S2 so today we'll use the H2 database so that data base will be stored here S2 now so not keep all the libraries you will find under it under this directory jar files will be there jar files now here you have plugins this directory is like when you want to extend the sonar cube with some additional features then you'll have to install the plugins so there is a many ways to install the plugins uh one of the ways like when you access the sonar Cube website then you will see that plugin so you can install it and so on but manually also I I typically do the manually so I download the jar file and then jar file I keep it in this directory and restart this one after that's all logs I think no need to explain all the HTML CSS and all of the sonarq website you will find here temp 10 uh con file that means any modifications which you want to make to the sonar queue uh then you have to keep this file in this directory in the notice now here I want you to understand the pattern uh Quantic files info so now you please understand this way server config file will be named with now scanner config file will be named with scanner sonar scanner dot property and code that code also we have on property file okay and Port property file will be named with sonar project will you remember this this pattern yes yes yeah so remember that it's a different different property file so here I have a sonar property in this file itself you have so much of Embry to make port number database Java settings uh performance settings elastics are setting many things we have here so which you can do that right now I'm not getting into that file just give you the intro and the bin directory you have start stop script so what is my platform so Linux and uh and start that's all start stop whatever you want to do done now status is running so now which Port is the default for sonar key so default Port is uh this one what is it one night uh nine thousand okay so this is the this is the default port I think I'm a threat let me get a confirmation because I forget about some increase are there config sonar property grip port so okay nine nine thousand okay this is the workbook you see so let's come now it's not accessible maybe maybe you have a firewall enabled so I'll stop the firewall this is not good practice forward okay you have to become root to install the firewall you have to pass the password up to okay and also fly there too but it's coming actually firewall was disabled so if you are having some firewall if you can stop the firewall and disable for tomorrow also if you want to do disable in language like this yeah okay so now this is the sonar so finally we got the sonar Cube server which is here let it come foreign few seconds we can also check the free memory is available so 4GB seven that is more than sufficient for this version which is the latest one consuming little bit more attack Let me refresh okay so now how do you access the username a default username is uh I think admin okay username is admin and password admin only so admin admin now you will change the password so old password HDMI new password admin123 apmn123 enter so this is your software server any questions over it's okay it's okay yeah so now next thing is you got a server now I need a scanner so scanner from where so here this machine I am using laptop so means my desktop itself so let's download the scanner so go to the scanner and here I'm downloading scanner do I have in my laptop scanner it is already there just for the demo I'm downloading again all right here it is now this scanner usually I keep it everything in C drive tools and you see sonar Cube here and yes then so this scanner you have it there's more one more scanner I got it so I'll do one thing I'll delete all the old scanner so this is a M as well scanner this is I'll delete it in front of you that so these are the old scanner I deleted there's a new screen I got it command line and extract it okay what mistake I did you know a mistake I did is I downloaded the Islamic scanner that is a mistake I did because my host is Windows so I'll have to download one more time in this video foreign foreign and now let me copy that and go to the tools okay and put it text at all it's a Windows now okay so I'll delete this file now what I will do I'll just I don't like a long name actually so I'll just write scanner and windows and this one I'll push here so that way it will be aligned for me and for yours I delete this so now this is the scanner now if you see that if you want to understand or scanner jar file will be here okay and this planner I see they have a JRE included also it's a lightweight version of GRE so you don't have to download Java and here you have a configuration file this is something which I was talking about here scanner config that means if you want to modify any Behavior or configurations of scanner you can modify this file and here you have a command for start this is for debugging so now basically this is your jar file ultimately you have a jar file okay standard is written in jar file but packaged in a different different format no matter which one you are using everywhere you will get a job file but packaging and use cases are different done now this path this path you can set in the environment variable also so you can call whatever whenever you want to call from anywhere this file you can call but right now I'm showing you manually so you understand that so here I got this scanner also server I setup standardize setup now I need a one source code you can keep it any source code for the sake of use cases but I have a sum sample which I want to show so the more now so for time being you can use this sample uh this is simple source code you see here this is the compile directory which is empty okay there is nothing and SRC will have a two source code see one source code and two source so that's all it will take few minutes to do that if you show a large code base it will take hours mind it and this property file is needed in the every project the source code should have this property file or you have this property sonar hyphen project dot property now uh when I say scanner you run on the source code so scanner read this property file so now you know what in the when you go for the Gradle or dotnet or Maven or Jenkins or Azure devops you you won't see this property file in the code base so when you have a project like that you won't see this property file why because you know the scanner create that property file dynamically using the Cradle informations so now we'll see what exactly you have in property file nothing few basic information here project key project name version where is your source code and so that language specific these are the required information rest of the things whatever you feel depends on your required okay so these are some of the simple things we have Okay so this is something which you have a source code so source code also you got it which is here so server this is the scanner and Port so code is from you can take it from here server just now we set it up here this is the password one two three and scanner I downloaded from this place so far so clear all of you yes okay so now I am going to do nothing but running the scanner on the code but code I have to clone it right one more thing don't download the code don't download always clone it why because if you close this is the source code I am having which I am deleting it just for demo sake because this is from the last item so I'll go for command line and get it installed in my machine I'll just clone it from URL uh so you need to clone that code so why you should not download the code what happens uh when you clone the code you get a Git Version also so scanner has a capability to read the code versioning and then tell you who has made a mistake and when it was missed that's the mistake that wrong coding was done by you and who's the person for it he can I mean scanner can get that versioning detail and culprit from the version of the git but if you download versioning will not be there and the scanner will give you the latest information he will not tell you who has learned a mistake so mind it always uh do it from the clone version so right now I just clone in front of you this is the code I'm having this is the same property file some source code ammo so these all things is done now next question you must be having here is then what is the broader huge case of sonar broader use case also so you need to understand in a simple way so broader use case is is like this for the organizations see here now see the problem you have to understand for the Enterprises so in Enterprises you have a tensor project more than that I guess each project you have a tense of developer 10 project each project you obtain sub developer each developer are using so many static code analysis tool because you have a code not only in one language here I showed you the static code analysis based on the language so you want to do c also C plus plus also Java also python also call also HTML also CSS also JavaScript also uh back when also means you want to do analyze on the port so you will use 10 SCA tool for it and every day each developer will generate one 10 reports for it just imagine imagine 10 reports from y develop one developer so just imagine 10 reports multiplied by 10 developer multiplied by 10 project and multiplied by 10 SCA tools how many hundred thousand thousands to I mean 10 000 reports you will get almost every day did you understand the pain how this organization will manage it I repeat manage it here I said management of what quality so this if you don't have a sonar Cube this management will become a chaos right every developer still use different sea tools every developer have a different set of tools multiple projects multiple reports whether it's going up or down the port quality is improving or not improving how do you manage it so Enterprise need this tool because of managing this 10 000 reports per week from all of your projects from all of your developers from 10 20 different languages 10 different 20 different SCA tools you need one Consolidated platform and that is where the Sonata can help you are you able to visualize this solve problems no no hello yes no no we're not using yeah no I'm saying that visualizations of sonar why this is good for enterprise companies yes okay so now last thing what to do last thing which I said already run the scanner on the source code so can I run the scanner on the source code let me get the scanner first this is my scanner and this is my source code can I run this here is a source code and this is my full play Scanner all right and now [Music] and we have some X and you need to tell me what is errors I'm not I'll not fix this yet okay so there's a so so tell me what is that configuration of the server yes you need to modify the property file to point to the server yes you need to modify the scanning property file to inform hey server is not a local host server is somewhere else let me modify look at this this is a commented code okay and this one what is IP address eight 102.68 calendar and this is the things you have to do so and why can I now rera here the screen understand thank you foreign but if you do it the large code base then it will take hours and hours so mind it so always learn on the small code base and after that once you are sure about it then run on the large codes or else you'll lose the lots of time for waiting foreign we will have a session about the property files right what to write and what to yeah so only for time being for today we just need to remember only few property file which is important in the project but slowly slowly we'll modify each and every property file and see that see execution success and the reports is available at this location you can click here also or refresh this one or two and here there is a one project which has come Nokia X how come Nokia X has come so if you go to code which is your project name yeah so the project name was yeah you see Nokia X now this is the key it has to be unique and it's a project name and the code base version is 1.0 you should always modify this version whenever you run the scan that means every time you should be one point something so that way you can see the difference between the two version uh whether it's upgraded or not upgraded now this is something which you see now still it's not coming full just wait for few seconds more okay because it will populate some ah so now this is a project and now this is a summary report how many bugs you have a a means no vulnerability now hot spots reviewed none quote smells you have a B rating that means there are few issues coverage I ask you to read this coverage this one okay come back to this read this some of this stuff and then we'll we'll do that one session on coverage not now coverage means test quality test quality okay duplication duplication means how much duplicate code you have I mean it's a huge actually and what are the lines of code you have 30 line 31 lines of code which is the top type is Java it's a small project actually so this summary click on it and here this is the this is the stats of overall Code Zero bug zero security zero security hotspot but there is a four port smell Port smell means it's a maintainability maintainability means you have a duplicate code or comments you are not passing or you have used the variables you are not you have defined the variable you have not used it something like that that this practices which is related to the maintainability of the code best practices of the code writing now in order to fix this code how much time it requires one hour so this is the this is this is called a technical debt okay this is called a technical debt that means in order to fix these four issues you have one hour of debt that means this has to be spent by developer now this is the duplication code coverage and block and few activities now if you want to see what kind of issues you have click on this four and you see these are the four issues here so uh now correlate my discussion who created this issue so let me go and check so this issues created by Rajesh Kumar when at this time okay what is issues click on it this is the issues if you are a programmer you can read this how to fix it here the solution is there okay can you make it major to something else can you open resolve as a fixed positive resolve on fixed can you assign someone to fix this how much effort required for this so you see that such a nice dashboard you have for this to work with every things and yeah so these are the issues so here project name Nokia X overview list of issues some security hotspot there's the there's no there's nothing found in this measurement of the code means see you uh they will give you the score actually the score based on the reliability and here uh based on the security and so on so reliability security security maintainability so they'll give you the score and a is a very good score okay B is like Okay C is like not good these words and E is also accordingly so right now in terms of reliability I bought a rating a in terms of security also I got a reading it Security review also because there's no much code actually to be honest just a small code and there is no security you know things performed so it's like that sorry and maintainability you have a b score because there were four issues found one hour of debt and stuff like that coverage in this there's no test cases test coverage is not there so it's not been there so lines to cover 17 but coverage is reported zero percent duplicate code almost lots of size I think 30 line 31 lines of code how many lines okay lines of code 31 but lines is 35 so it must be some some blanks blank line also which has been considered enter statement functions how many classes files comments zero this award practice and also here complexity of the code they are saying hey there is a rating for complexity code seven nine and issues now you can browse the code here this is the code which I showed you on the GitHub same code these are the method and if you see the method you can see that what is a see here no covered by test so these are the no coverage but what issues you have so you have reports two ports smell in this code what quotes meal and this is the course map here so who introduced this so this is introduce Rajesh okay so like this and why this is an issue this day so yeah this is a very unique platform where developers can work and understand the issues in the code understand what type of shoes what issues how to fix it and also with that ultimately they will fix up the code commit it and rerun so let's say you fix that code and after that you change this 1.1 okay and then rerun this code one more time imagine you are assuming like I have fixed that code but though I'm not done any change yet and modify the version okay and reader so this time will not take uh as much time but last time because it has downloaded the rules in the caching so it will use from the same place first run it will take time um for me also it was not taken so much of time because my cache was already updated done now go ahead and click on this overview so here overall new code you have no issues because I did not change the code at all so overall this is the one now if I go and check the activity you can see this is the version one there is no changes here and this is the version 2. so you can compare between the versions between the two core and you can say Okay whether we are progressing or not progressing in terms of comparison in terms of issues coverage duplication and some customers are able to understand this yes yes okay so this is the watch we have sonar Cube and this is how we start doing the analysis yeah more questions it's clear it's clear okay so now let's have a five minutes or 10 minutes of break and grab your take off your restroom and I'll also have the some break for it and just connect same meeting after 10 minutes and we'll resume the sessions okay yes no worries so

Info

Channel: TheDevOpsSchool

Views: 24,149

Rating: undefined out of 5

Keywords: DevOps, Cloud, Containers, Tutorials, AWS, Training, Trainer, Docker, Kubernetes, Certification, Course, Sonarqube, What is sonarqube, advance, fundamental

Id: y8UF7rgtDEo

Channel Id: undefined

Length: 62min 8sec (3728 seconds)

Published: Tue Nov 08 2022