Code Quality : Sonar, Findbugs, Checkstyle and Cie

Hi Guys,

Does someone has knowledge in code quality tools such as Findbugs, Checkstyle and SonarQube ?

Does it painful to configure (rules, error level) ? I had a look at OpenMRS SonarQube, and there so much rules (around 450) ! Does default configuration can be used, how metrics can be used to improve code quality ? Do we have to take care of warning ? How ma,y blockers issues are used ?

Does it reliable for a small team (more or less 5 devs), or it’s just for huge project (such as OpenMRS :slight_smile: ) ?


I’d say probably @raff is our resident expert on SonarQube. We also have some people like @sunbiz who are familiar with some things using the Checkstyle Maven module. I mentioned them here and hopefully they’ll take a look at your questions, as will some others. :wink:

1 Like

I think checkstyle is quite easy and has excellent IDE integration. So while you at writing code, you can see what code styles you are breaking. It is useful for small teams since you can ensure everyone writes similar annotations, method signatures, variable naming conventions etc. Static code analysis tools like findbugs, sonar are also useful, but I feel they are useful for large projects.

Thank you @sunbiz,

I had a look at Checkstyle and I integrate it in my maven build to generate an xml report, that can be used in Jenkins. I don’t integrate it in my IDE yet. Does using Sun config for Checkstyle is a good idea ? Making a checktyle-config.cml by itself looks painfull, no ? How many rules should we have ?

In my first test (without config), chekstyle report about 2000 issues in a 3000 lines od code project !

SonarQube comes with ~500 rules, 99% of which I would say make sense. In OpenMRS I only switched off one of them to comply with our formatting rules. Sonar combines Findbugs, Checkstyle, Jacoco (test coverage) and possibly more. It displays all metrics in one place and keeps the history of analysis. For Sonar to work you need to setup a server that is accessible by all devs and a job in CI to run Sonar analysis. You can set quality gates, which will break your CI builds when some metrics like test coverage or blocker issues value go outside predefined levels. There are plugins for most of IDEs to run Sonar incremental analysis locally by devs. Sonar is definitely useful for teams of any size and if you have CI it’s good to have Sonar as well to keep your code in good shape. It can be treated as a first pass of code review, which saves devs’ time.

1 Like

Thank you @raff,

That sound good :smile: We already use Jenkins for CI + some plugins like Jacoco for code coverage.

Using Sonar combined with Jenkins probably can make metrics more clear and track code quality (and team :wink: ) evolution. And avoid usage of multiple Jenkins plugins : checksyle + jacoco + findbugs +… ).

I was afraid all its rules can make things complex but you definitely reassured me saying 99% make sense :smiley:

I didn’t know sonar plugin for IDE exist, that really a good tips you gave me :+1: