In an effort to better understand some of the problematic areas of the C# codebase I work on, I recently setup an instance of the SonarQube code analysis platform. SonarQube is originally written for Java analysis and later added C# support. This posting walks you through my experience attempting to setup, configure and run the analysis.
Note: SonarQube changed it’s name from “Sonar” in mid-2013, so older references to this posting may use the old name.
I periodically update this post to reflect changes with newer versions of the tools. Most recent update was 9/5/2013 based on a fresh install of SonarQube v3.7.
I’ve also written a SonarQube plugin to use ReSharper as a source for quality metrics. Once you have your SonarQube instance up and running for your .NET project, see my post SonarQube .Net ReSharper Beta Release for details on importing ReSharper results into SonarQube.
So why did I even do this? Once up and running, SonarQube provides some useful metrics for pointing out hotspots in your code that may be making it more difficult to maintain and extend your functionality. Through the web interface, you can drill-down on any of the metrics to the module, class, and method level, including full source code. Some of the metrics provided for each C# project include (screenshots are from the “nemo” demo site mentioned below, my own project, or other sources):
General analysis Uses several rule-based static analysis tools FxCop StyleCop Gendarme (part of the Mono project – similar to FxCop) Details and statistics, with drill-downs, on rule violations
Cyclomatic Complexity By method, class, file
Comments: Percentage of code commented Percentage of public APIs that are (un) documented Duplication: Percentage of code that is duplicated Counts by duplicated lines of code, blocks, files
Unit tests: Coverage (using OpenCover, NCover, etc) Success/Failure statistics (using Gallio) Time to run
Counts: Lines of code Count of files Count of classes Count of methods In addition, it will track changes over time, so you can see where issues are increasing/decreasing in your code.
SonarQube is open sourced under the LGPL and free to use, however some of the plugins used to perform the analysis are only commercially available, and in some cases come with steep licensing fees. For this blog, I focus on only freely available (ie: no fees) aspects of the product. Each of the tools I used are also freely available (FxCop, StyleCop, Gendarme, Gallio, OpenCover, MySQL — all have licenses that allow no-fee usage for most people).
There is a demo site provided by one of the commercial plugin providers to demo the system (including their not-free SQALE plugin) which shows analysis for several open-source Java projects and can give you a feel for the UI and the data that can be provided. Beware — this includes data from some of the commercial plugins, so don’t expect to see everything on that site after following this posting.
You can also reference the official installation notes.