Sonar

Tendencies in Sonar

Olivier Gaudin — Wed, 03 Dec 2008 09:48:49 +0000

One of the very good feature in Sonar is the tendencies. The tendencies are visible in every screen, from portfolio to class view, and are materialized by little arrows next to each measure. Those arrows show the trend for the measure.
This blog entry intends to explain how to read them, how Sonar makes their calculation and how they can be used.

Sonar uses 5 levels to describe the tendency of a measure. Each level is represented by an arrow :

		Strong increase
		Medium increase
		Neutral
		Medium decrease
		Strong decrease

Sonar uses black() arrows to represent tendencies on the quantitative metrics (the ones that are not reflecting quality of the code, for example number of lines of code).

Sonar uses red() or green() arrows to represent tendencies on the qualitative metrics (the ones that are reflecting quality of the code, for example code coverage). The red is used when the quality decreases, the green when it increases.

Of course, it is to be noted that if the percentage of duplicated lines decreases it will be represented by because it is considered as an improvement.

In order to display the tendencies, we decided that making a simple difference between the last two measures of each metrics was not accurate enough. Therefore we implemented a more advanced algorithm : the least squares method. The least squares is a linear regression analysis that helps removing the noise in order to determine a trend on discrete measures. In other words, Sonar takes the last X measures, checks that the set of measures make some sens (by testing the correlation rate), determines an estimated slope and displays it using the arrows.

Since Sonar uses the last X snapshots, you would expect this X is configurable: that is the case ! Simply sign in, go to preferences -> measures menu. The number of days there is not really a number of days, but in fact a number of snapshots that are going to be used. You can increase this number as much as you like, as long as you have enough snapshots in you database !

Where do we get from there? If you take measure at a regular frequency, it means that you are able to get weekly, monthly tendencies, ... on all your pages within Sonar.

Sonar light: the low-calorie mode for Sonar

Olivier Gaudin — Tue, 25 Nov 2008 09:48:15 +0000

When I initially wrote this blog entry, I chose a much more original title : "What is the analogy between a Coke light and Sonar light". But then I realized that "Coca Light" (the French for Diet Coke) does not translate to "Coke light"... The title was not as attractive anymore : I had to back up ! ;-)

As any good code analysis tool, Sonar performs static as well as dynamic analysis (code coverage by unit tests). The dynamic analysis requires a lot of processing power (calories burning) since the unit components of the program must be compiled before they can be executed. On the contrary, static analysis just needs to analyze source code in order to calculate metrics like cyclomatic complexity or to detect bad coding practices.

Further more, the dynamic analysis in Sonar requires that the project is "mavenized" in order to have a list of runtime dependencies. Since there are still a few projects around that are not mavenized yet, the demand was growing for a way of using Sonar on those projects.

Those two reasons were good enough to create Sonar light, a mode without dynamic analysis and that does not require your project runs under maven. A live example of Sonar light is the Tomcat project in Nemo.

Practically, in order to run analysis on a project in the light mode, you only need the simplest possible pom.xml placed in the root of your project :




  4.0.0

  [GROUPID]

  [ARTIFACTID]

  [PROJECT NAME]

  [PROJECT VERSION]

  

        [SOURCE DIRECTORY]

        

           

              org.apache.maven.plugins

              maven-compiler-plugin

              

                  1.5

                  1.5

              

           

        

  

  

    true

Launch Sonar Maven goal mvn org.codehaus.sonar:sonar-maven-goal:1.X:sonar and go to the Sonar web interface to see the results.

Coming back to the initial title : in both cases you are using a low-calorie product.

Eclipse, Checkstyle, Sonar : an emerging source code management solution

Freddy Mallet — Wed, 19 Nov 2008 13:05:56 +0000

Having a tool like Sonar to monitor source code and continuously evaluate risks is a good start. Nevertheless, Sonar should not only be considered as a passive audit tool that can quickly help you scan your projects portfolio.

Sonar is the missing piece of a global source code management solution. We'll progressively communicate on this fully Open Source integrated solution but for today, here are the first three components :

A good source code management solution should not only provide a way of being reactive through a regular reporting but as well to be proactive by enabling the developer to integrate quality in the heart of the development process. In others words, each developer should be able to check the quality of a newly or updated source code before publishing it to a source control system like Subversion or CVS.

Let's take the example of Checkstyle quality rules for today. We'll see later how to generalize this approach to JUnit, Clover, PMD...

Sonar web interface allows you to quickly define and activate a quality rules profile : Without any more configuration, each time you scan a project with Sonar, this rules profile is automatically applied on source code. On the previous screenshot, you can notice that Sonar provides on each rules profile a permalink (URL) to get the checkstyle configuration file associated with this profile.

As a developer, in order to apply the exact same rules before publishing any new modifications on source code, you simply need to:

Use the well known eclipse IDE with the eclipse-cs plugin.
Go to Eclipse -> Preferences -> Checkstyle menu
Create a new Global Check Configuration, choose the "Remote Configuration" type and copy/paste the permalink provided by Sonar, for example http://nemo.sonar.codehaus.org/rules_configuration/export/java/Sonar%2520way/checkstyle.xml

Right Click on any eclipse project you want to analyze and select Checkstyle -> Activate Checkstyle

No more to do !

Every time you make some change to your code, the eclipse "Problems" view tells you what are the quality rules violations in your source code. Of course, those problems are exactly the same ones Sonar reports.

That's enough to begin with. If you want to know more about the power of the Eclipse Checkstyle plugin, you can have a look at the eclipse-cs web site.

SonarSource, a spin-off dedicated to Sonar development

Sonar team — Tue, 11 Nov 2008 18:16:18 +0000

We are happy and proud to announce the launch of a new company

Given Sonar's success, we have decided to create a spin-off of Hortis, dedicated to the development and support of the product : it just happened today !
The newly formed company has got a highly motivated team made of :

SonarSource's ultimate objective is to carry on Sonar's development to make it an open source enterprise tool widely adopted in the software development world.

Using the ‘Reviews’ section on the project dashboard

Freddy Mallet — Tue, 04 Nov 2008 17:33:27 +0000

You might have already paid attention to this little and empty section named "Reviews" at the bottom right of any project dashboard, but what is this section about ?

Originally, this functionality was developped for one of our customer : this company has a quality assurance team in charge of regularly interviewing members of development teams on different areas like "Configuration Management", "Project Planning", "Technical Design", etc. They already used Sonar to check and follow code quality on their projects portfolio and wanted to feed Sonar with the results of those reviews.

In Sonar 1.5 we've extended this to any kind of metrics which could be fed manually like "Team size", "Business Value", ... But let's go back to Sonar 1.4.X and the way this functionality can currently be used.

The first thing is to log into Sonar with the administrator account. If you go back to a project dashboard, you should now have the possibility to click on an "Add a review" link.

Sonar will ask you first to create a review type and help you to switch on "Review types" tab under "Preferences" category :

You can define your new review type by specifying the name (ex : Configuration Management, Technical Design), an optional description and the kind of metrics you want to use (ex : Number, Percentage, Yes/No). Once your review type is created, just go back to the project dashboard and feed Sonar with the results of your different kind of reviews :

Those reviews are now displayed on your project dashboard as the other classical metrics :

Of course, the history of reviews is also accessible :

So far, we have not communicated too much on this functionality as we thought its scope was not generic enough. Things are gonna change in version 1.5 as

We stop talking about "reviews" but rather about "manual measures".
You'll be able to automatically define and calculate new metrics taht use those manual measures as well as classical measures like total complexity or code coverage.

You'll therefore have the necessary tool set to calculate your own company quality indicator.

Is 80% of code coverage any good ?

Olivier Gaudin — Wed, 29 Oct 2008 10:40:49 +0000

When talking about source code quality, there are always voices to tell you that metrics mean nothing and that plenty of projects have great metrics and poor quality ! Let's look at one particular metric: the code coverage by unit tests.

Evaluating the code coverage of an application means measuring the quantity of code that isexecuted and so automatically tested by your unit tests. So if you get 80% of code coverage on your application, it's really a good news as you can refactor and maintain your code securely. It's like driving a car with a fasten seat belt. Ok, but imagine, even if it's a bit ridiculous for agile guys, that 80% of the code of a fairly big application is covered by less than 10 unit tests. Believe me, I've already encountered this situation in real life with a batch application (8'000 lines of code) in charge of manipulating text files.

It raises two remarks :

Is that good to have 80% of the code covered by unit tests ? Definitely ! If you've already maintained an application you haven't written from start, you do certainly agree that it's far better to have 10 unit tests covering 80% of code than nothing.
Ok, but when your seat belt is fasten does that mean you're driving well ? Unhappily not, it's only mean your seat belt is fasten.

So, what is it possible to conclude from the code coverage metric?

In fact let's start first by what you cannot conclude : having a high percentage of code coverage does not mean (without extra information that I will not discuss here) that you are doing good Test Driven Development (TDD).

Instead of looking at the code coverage, you must look at the non-code coverage and then you can conclude something : you know that at least XX% of your code is not covered by unit tests and that you need to do something about it. You've clearly identified a risk !

Sonar participates to the Valtech Days

Freddy Mallet — Tue, 14 Oct 2008 10:45:13 +0000

Next week, on the 21st on 22nd of October, I am going to participate to the Valtech Days 2008 where I have been invited by Eric Lefevre. More than 300 participants are expected to this event, whose main topics are going to be this year : Agility, Industrialization and software factory, Java / .NET / SOA architecture, e-business and Web 2.0.

During the event, I am going to animate a session on "Industrialization of source code management" that I will co-present with Romain Linsolas,

For french speakers, I take the opportunity of this post to mention that Romain Linsolas has written a very valuable and detailed article on how to manage the source code quality of your java projects with Sonar...

Back from CITCON Europe 2008 in Amsterdam

Olivier Gaudin — Wed, 08 Oct 2008 20:31:15 +0000

Last week-end, we attended CITCON Europe 2008 in Amsterdam.

We were really curious and impatient to discover the whole experience of technological OpenSpace: we were amazed to see how well it works and how things get organized quickly with so many people (>100). On Friday evening, anybody had a chance to propose a session on a topic, by announcing it to the audience and hanging a post-it on a board. We then voted for the topics we were interested in and since there were still numerous sessions, similar topics were regrouped : that was it for setting up the agenda ! On Saturday, there were 5 time slots of an hour each during which were running 6 sessions at the time.

In terms of content, a lot of the sessions were about integration / system / user testing (Selenium, user automated testing, issue with databases during test periods, automated acceptance tests, ...). Unlike for unit testing, no standard neither consensus seems to really emerge on integration, functional, user interface tests. We had interesting discussions and knowledge sharing sessions, but the conclusion was that the testing strategy to be put in place is highly dependent on the project type and the context.As expected, almost every continuous integration engine was represented and we even got a quick demo of each (open source first, obviously !) : Build-o-matic, CruiseControl, Hudson, Cruise, Pulse, TeamCity and BuildForge.
Talking about CI engines, we met Sherali from Atlassian, the company that develops Bamboo. We had a good time discussing software quality and talking about Atlassian's development in Europe.

We had proposed a session around Source Code Quality inside Continuous Integration. Around 30 people showed up to participate to the session.

We discussed source code quality as well as project metrics during the session. Participants had good experiences to share and ideas about how metrics could be improved. After some debate, we pretty much all agreed on some conclusions :

Showing good metrics does not prove that your project source code has a good quality
Showing bad metrics proves that your project has a bad quality
Before measuring any metrics, it is absolutely necessary to define your objectives

The last session we attended was : "Is scrum evil ?". Interesting session, probably proposed as a provocation, that highlighted to me two remarkable things :

Whether they like scrum or hate scrum, people are passionate about scrum
Out of the 70 or 80 participants to the session, I would say that 30% were Certified Scrum Master (SCM)

To wrap up, CITCON was a very good event, where participants were motivated, happy to share experience, to brainstorm and to debate. The technological open spaces are great. I think it could be an idea to split between more formal and open space sessions. The open space sessions would then be a natural follow-up to the more formal ones. We will find that out anyway during the Valtech Days 2008 happening in 2 weeks where we have been invited by Eric Lefevre.

A new Hudson plugin for a closer integration with Sonar

Simon Brandhof — Tue, 30 Sep 2008 12:25:06 +0000

Continuous integration (CI) has become a centerpiece of software development lifecycle. Since Sonar is implemented as a maven plugin, it can be easily integrated with any CI engine : the engine acts as the scheduler for Sonar's daily runs. You can even imagine to use the well known but a bit outdated cron scheduler to launch the maven goal "mvn org.codehaus.sonar:sonar-maven-plugin:1.4.2:sonar" on each project you want to analyse.

At this point in time, you are probably wondering : ok, but why would I need a plugin to integrate Sonar with Hudson, the very popular, open source and easy to use CI engine ? Is it possible to get an even more seamless integration ?

In fact, when you face a real enterprise context, you need to configure your setting.xml file by hand on your integration machine and copy/paste the Sonar maven goal for each project under control : 10, 50, 100, 200 times ... Life will be easier if you can :

Prevent edition of the setting.xml file and directly edit and view the Sonar configuration from Hudson
Define the Sonar maven goal only once and use it as often as often as you want

We've developed a Hudson plugin to provide those two missing features. All configuration is done online and is shared across projects, you can enable/disable Sonar analysis in one click for all your projects. Obviously, you still can override Sonar parameters at the project level. Imagine for instance, on a given project you don't want to import and display source code through Sonar interface for security reason (SONAR-306).

That was the first step on planet Hudson and we wanted to go beyond. There is an unknown but yet useful Sonar functionality which allows you to analyze any java projects even if they don't use Maven (perhaps you're still using Ant or don't use a build framework at all). Nevertheless, in that case you need to write by hands a short pom.xml file to provide to Sonar several mandatory parameters. This last tedious step has gone with version 0.2 of the plugin.You just need to fill those basic parameters in the Hudson job configuration and quality analysis can start. If you're a code audit consultant and you need to quickly and efficiency analyze your customer's sources : just tell Sonar/Hudson couple where is the source director. Want to give it a try : just install the sonar plugin from the Hudson management console. And... don't forget to install Hudson and Sonar before :-)

Bug-fix release 1.4.2

Sonar team — Thu, 25 Sep 2008 12:20:41 +0000

The release 1.4.2 is available for download. It fixes two bugs :

SONAR-344 Configuration of custom rules is not read when importing checkstyle.xml file
SONAR-351 MySql broken pipe on inactivity timeout

Upgrade steps from 1.4.* releases are :

unzip the distribution
replace sonar-1.4.2/conf/, sonar-1.4.2/extensions/ and sonar-1.4.2/data/ directories by yours
If MySql database, add the following property to sonar-1.4.2/conf/sonar.properties : sonar.jdbc.validationQuery: select 1
start the server
update the maven plugin version : mvn org.codehaus.sonar:sonar-maven-plugin:1.4.2:sonar