Sonar Cloud Integration with Maven for Continuous Code Quality & Code Security.

Michael Mensah
6 min readMar 1, 2022

--

This project will focus on Sonar Cloud as a Code Quality Assurance tool that collects and analyzes source code, and provide report on the code quality of the project. This process is achieved by integrating sonar cloud plugins into pom.xml and running the mvn package command.

Launch an EC2 instance name — Maven Build Server.

Download Maven from the website. Using the command wget https://dlcdn.apache.org/maven/maven-3/3.8.4/binaries/apache-maven-3.8.4-bin.zip. After which you unzip the file using the command unzip apache-maven-3.8.4-bin.zip. Once you are done head to the apache-maven-3.8.4 dir using the command — cd apache-maven-3.8.4/. When you are in the folder go to bin dir with the command cd bin/. In the bin dir is where you will see mvn dir which will be use for the build process.

Before we move on with the build process the JDK application have to be download and installed with the command yum search Java. Once the search is done look for Java-1.8.0-openjdk-devel for the implementation of the java platform and install application with the command yum install java-1.8.0-openjdk-devel.

After the Java installation is done verify with the command java — — version to check for the JDK version which will be used for the project and also using the command ./mvn — — version to check for the maven version.

Now that we have that out of the way. We will move on to GIT as a version control for Pulling and Pushing codes to remote repo and into our local repo. We will install Git with the command yum install git -y. After which I will pull the code from bitbucket by cloning the java source code from the remote repo. In my case the remote repo I will be pulling my java source code from is Bitbucket with the command git clone + URL of the remote report

After the java source code have been pulled from the remote repo. The next step is to initiate the build process with the command /opt/apache-maven-3.8.4/bin/mvn package. My build failed

My build failed because the build process has to be initiated in the java source code dir where pom.xml file is using the command /opt/apache-maven-3.8.4/bin/mvn package. After running running the build in the java dir the Build was SUCCESSFULL.

Once the build process is done. You can now see in the target folder the artifact type .jar

After the build process is done and build is SUCCESSFUL. The next step is to launch Sonar cloud for continuous code quality and code security. Go to the website — https://sonarcloud.io/

When you login to the Sonar Cloud — Create an organization manually. An organization is a space where team or a whole company can collaborate across many project. My organization is mensahcloudproject

After creating an organization. Go ahead and create a project that will analyze your code.

After the project is done. Select the analysis method for the build. In my case is Maven.

After letting Maven as analysis method for the build. The next is Sonar Cloud shows you the configure plugins and steps on how to integrate the plugins into pom.xml.

First we will use the command export for Configuring the SONAR_TOKEN environment variable and add the environment value and press ENTER.

Update pom.xml file with the following Environment values plugins.

After adding the plugins to the properties section in the pom.xml file with the Vim editior with command vi pom.xml. Run the command in the project folder in the terminal with the command /opt/apache.-maven-3.8.4/bin/mvn mvn verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=mensahcloudprojectmaven

The Build process FAILED after integrating Sonar Cloud environment values to running for code quality. The build failed because the version of the Java Run time only recognizes class file versions mean that Sonar Cloud is not compatible with JDK 1.8.0 is compatible with JDK 11

Removing Java JDK with command yum remove Java-1.8.0 openjdk* and install the JDK 11 Using the command amazon-linux-extras install java-openjdk11 and looking the JDK 11

After JDK 11 is install. We run the sonar cloud integration again. Build process integrated was SUCCESSFULL

After integrating Sonar Cloud into pom.mxl and the build process been successful. I will head over to my Sonar Cloud console to check and review the analysis base on the code check and code quality As you can see in the report with a green A meaning the code has no bug, code smells, no vulnerabilities etc.

Conclusion — Sonar Cloud is a good tool to use for continuous checking for code quality and code security.

--

--