I'm having a very quick tinker with a tool called SonarQube for code quality scanning.
One of my colleagues had asked whether SQ can scan scripts e.g. Bash, which made me go "Hmmmm" and start to play ...
As you'd expect, I started with a Docker container: -
docker pull sonarqube
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
which is the bare minimum for getting SQ running, with the internal port 9000 mapped to the host port 9000.
I then hit my Linux virtual server on that port: -
http://10.0.0.10:9000/about
and logged in.
I cribbed the above from the Getting Started guide on the SQ website, and got to a point where I had a project setup, ready for scanning ....
I then downloaded the SQ scanning tool ( for my Linux box ) : -
wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.5.0.2216-linux.zip
and extracted it: -
mkdir -p /sonarqube
cd /sonarqube
unzip ~/sonar-scanner-cli-4.5.0.2216-linux.zip
and added SQ to my PATH: -
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin:/root/sonarqube/sonar-scanner-4.5.0.2216-linux/bin
I had previously created a dummy "app" comprising a Dockerfile, a Go module and a Bash script: -
cd ~/Dave
ls -al
total 4032
drwxr-xr-x 3 root root 4096 Oct 6 13:23 .
drwx------ 12 root root 4096 Oct 6 13:21 ..
-rwxr-xr-x 1 root root 2068291 Oct 4 16:34 Dave
-rw-r--r-- 1 root root 121 Oct 4 16:36 Dockerfile
-rwxr-xr-x 1 root root 2034794 Oct 4 16:44 hello
-rw-r--r-- 1 root root 76 Oct 4 16:34 hello.go
-rwxr-xr-x 1 root root 32 Oct 6 13:21 hello.sh
so I was then able to run a scan: -
sonar-scanner -Dsonar.projectKey=dave_test -Dsonar.sources=. -Dsonar.host.url=http://10.0.0.10:9000 -Dsonar.login=hah82889fhqwhabe9173283
and a scan magically appeared in the SQ web UI: -
However, I did notice this message down on the right-hand side: -
Quality Profile: Use 'ShellCheck' (Shell)
I installed the Plugin on the SQ server: -
but was still seeing the same "warning"
Only then did I realise that I was missing something on the "client" side i.e. from where I'm running the actual SQ scan.
I installed the requisite binary: -
apt-get install shellcheck
which shellcheck
shellcheck --version
ShellCheck - shell script analysis tool
version: 0.4.6
license: GNU General Public License, version 3
website: http://www.shellcheck.net
and re-ran the scan, which reported, in part: -
INFO: 1 source files to be analyzed
INFO: Load project repositories
INFO: Load project repositories (done) | time=23ms
INFO: 1/1 source files have been analyzed
INFO: Sensor SonarGo [go] (done) | time=418ms
INFO: Sensor ShellCheck Sensor [shellcheck]
INFO: Sensor ShellCheck Sensor [shellcheck] (done) | time=257ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=2ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=5ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=11ms
INFO: SCM Publisher No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
INFO: CPD Executor 1 file had no CPD blocks
INFO: CPD Executor Calculating CPD for 0 files
INFO: CPD Executor CPD calculation finished (done) | time=0ms
INFO: Analysis report generated in 132ms, dir size=100 KB
INFO: Analysis report compressed in 25ms, zip size=12 KB
INFO: Analysis report uploaded in 27ms
and now my scan looks lovely: -
Yay!