Measuring code quality (and of course acting on it!) is a vital part of software development that helps you to keep Technical Debt low and the ability to make changes quickly and with quality high. As Martin Fowler explains, reducing internal quality slows you down. In Continuous Delivery, it plays an important role in shipping high quality software often and fast.
Measuring code quality on premise
There are multiple tools that can help to to get insights in code quality. Some of them are run locally and are part of an IDE, but there are also tools that allow to to analyze and manage quality in a central way. SonarQube and TIOBE are two of them. Personally I have good experiences with SonarQube. I like it a lot due to low investment costs (it’s open source, docker images are available to try it out) and because it doesn’t just calculate code metrics (how maintainable is my code), but also finds (potential) bugs and vulnerabilities in your code.
While SonarQube is free to install and use, there are of course still costs attached to it:
- You have to provision one ore more servers on which to run SonarQube, its database and search engine (ElasticSearch)
- You need to invest time to set up and configure SonarQube
- Application management needs to be done: upgrading SonarQube, its plugins but also the underlying platform
- For some programming languages to be analyzed, you have to buy licenses for additional plugins like Swift, C/C++/Objective-C, COBOL, ABAP etc. See this page for more information on this.
- For some programming languages to be analyzed, you have to upgrade to the professional version, costing € 12,500 per year. See this page for more information on this.
These costs and the initial investment you have to do to get it up and running can withhold you from using it, even when it provides a lot of value.
Code Analysis as a Service
For some time now, SonarSource (the company behind SonarQube) provides SonarQube as a cloud service called SonarCloud (https://sonarcloud.io). Initially you could only use it for analyzing Open Source projects, because the results were public to everyone. Since June of this year however, they also provide a paid plan that allows you to analyze your private projects with SonarCloud and having the results only accessable for people within your organization.
The payment model is interesting: you pay for the total lines of code. This allows you to analyze as often as you want and provide access to all users that you’d like. Because you’re not limited to a certain amount of users, you can increase the visibility and transparency of the results.
Benefits and drawbacks for Code Analysis as a Service
Benefits of using SonarCloud instead of the on-premise SonarQube (of which some apply to all as a Service solutions):
- No application management (upgrading, making backups etc.) needed
- Access to all SonarQube plugins like Swift, PL/SQL, COBOL etc.
- Scales naturally with your needs, no need to plan infrastructure for future use
- No initial investment in time and money to set up code analysis
- You can always switch if you don’t like it because you per per month
- Start in minutes (how fast can you provide your credit card data)
Still, SonarCloud is not always a fit solution. Some drawbacks are:
- Your Source Code are analysis results hosted outside your company
- No LDAP integration possible for user management
- Cost becomes high if you have a big enterprise with lots of applications.
- The enterprise features are not available.
How to start
- Make sure you have a GitHub account. SonarCloud uses GitHub for authentication.
- Go to https://sonarcloud.io and sign in.
- Create an organization if you want to set up code analysis for your company or team.
- Set up billing by entering your credit card information.
- Set the default visibility of new projects to “private” to prevent people from outside your company from accessing your projects.
- Configure Permissions, users and groups as needed
- Generate an authentication token that you can use for analyzing projects
- Run the analysis, either locally or make it part of your CD pipeline
You can go to this page to get more information on how to get started.
If you think about implementing Code Analysis, I’d recommend you to take a serious look to use Code Analysis as a service, for example using SonarCloud. If you’re unsure if it is valuable for you, don’t spend too much time thinking about it. Instead, just try it out and see if it works for you!
This blog was written by Harm Pauw.