Measuring code quality (and of course acting on it!) is a vital part of software development that helps you to keep Technical Debt low and the ability to make changes quickly and with quality high. As Martin Fowler explains, reducing internal quality slows you down. In Continuous Delivery, it plays an important role in shipping high quality software often and fast.

Measuring code quality on premise

There are multiple tools that can help to to get insights in code quality. Some of them are run locally and are part of an IDE, but there are also tools that allow to to analyze and manage quality in a central way. SonarQube and TIOBE are two of them. Personally I have good experiences with SonarQube. I like it a lot due to low investment costs (it’s open source, docker images are available to try it out) and because it doesn’t just calculate code metrics (how maintainable is my code), but also finds (potential) bugs and vulnerabilities in your code.

While SonarQube is free to install and use, there are of course still costs attached to it:

  • You have to provision one ore more servers on which to run SonarQube, its database and search engine (ElasticSearch)
  • You need to invest time to set up and configure SonarQube
  • Application management needs to be done: upgrading SonarQube, its plugins but also the underlying platform
  • For some programming languages to be analyzed, you have to buy licenses for additional plugins like Swift, C/C++/Objective-C, COBOL, ABAP etc. See this page for more information on this.
  • For some programming languages to be analyzed, you have to upgrade to the professional version, costing € 12,500 per year. See this page for more information on this.

These costs and the initial investment you have to do to get it up and running can withhold you from using it, even when it provides a lot of value.

Code Analysis as a Service

For some time now, SonarSource (the company behind SonarQube) provides SonarQube as a cloud service called SonarCloud (https://sonarcloud.io). Initially you could only use it for analyzing Open Source projects, because the results were public to everyone. Since June of this year however, they also provide a paid plan that allows you to analyze your private projects with SonarCloud and having the results only accessable for people within your organization.

The payment model is interesting: you pay for the total lines of code. This allows you to analyze as often as you want and provide access to all users that you’d like. Because you’re not limited to a certain amount of users, you can increase the visibility and transparency of the results.

Benefits and drawbacks for Code Analysis as a Service

Benefits of using SonarCloud instead of the on-premise SonarQube (of which some apply to all as a Service solutions):

  • No application management (upgrading, making backups etc.) needed
  • Access to all SonarQube plugins like Swift, PL/SQL, COBOL etc.
  • Scales naturally with your needs, no need to plan infrastructure for future use
  • No initial investment in time and money to set up code analysis
  • You can always switch if you don’t like it because you per per month
  • Start in minutes (how fast can you provide your credit card data)

Still, SonarCloud is not always a fit solution. Some drawbacks are:

  • Your Source Code are analysis results hosted outside your company
  • No LDAP integration possible for user management
  • Cost becomes high if you have a big enterprise with lots of applications.
  • The enterprise features are not available.

How to start

  • Make sure you have a GitHub account. SonarCloud uses GitHub for authentication.
  • Go to https://sonarcloud.io and sign in.
  • Create an organization if you want to set up code analysis for your company or team.
  • Set up billing by entering your credit card information.
  • Set the default visibility of new projects to “private” to prevent people from outside your company from accessing your projects.
  • Configure Permissions, users and groups as needed
  • Generate an authentication token that you can use for analyzing projects
  • Run the analysis, either locally or make it part of your CD pipeline

You can go to this page to get more information on how to get started.

If you think about implementing Code Analysis, I’d recommend you to take a serious look to use Code Analysis as a service, for example using SonarCloud. If you’re unsure if it is valuable for you, don’t spend too much time thinking about it. Instead, just try it out and see if it works for you!

 

This blog was written by Harm Pauw.

2 COMMENTS

  1. Hi Nirman, thank you for your reply. We see similar discussions at customers. Maybe I can put this in some perspective:

    First of all, how secure do you think your current SonarQube instance is? You need to patch the operating system, the database, etc. If the SonarQube application itself would contain security flaws, every instance will be exposed, not only the SaaS/SonarSource one, but also your instance. (Unless you’re forking their open-source code base and would fix it before they do/the community does). In general, you can expect that SaaS services will be maintained with more effort than you’re organization would, because it’s not your core business. And finally, since it IS their core business, you may expect they will put adequate effort in it, since failing in security would definately harm their business.

    Secondly, the last statement also applies for the source code itself stored on their servers. Failing for them in this respect will harm their business. SonarCloud also provides some information on this in their privacy and security statements:
    https://sonarcloud.io/documentation/privacy/
    https://sonarcloud.io/documentation/security/

    Finally, application integration is key nowadays. In the context of SonarQube, both developers and build systems need to interact with the analysis server. This means that it’s inevitable to expose your application to the outside world in some way, unless you are willing to host every service by yourself locally, which in turn leads to even more “stuff you need to maintain”.

    I personally would rather spend time on making the best out of the tools I have, than trying to operate it in a way somebody else probably can do faster, better and cheaper.

  2. Interesting! I am using SonarQube for many .NET projects in my organization, and it serves the purpose well. I believe its time to switch over to its cloud version (SonarCloud). The only thing which concerns me is our organization is ISO 27001, and handing over code analysis outside of our network is something which may involve a lot of clearance from various stake holders, also the security aspects of the cloud-hosted instance are reliable or not that is also a question as of now.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

*