AVIO Consulting

Measuring Code Quality with SonarQube

Jul 9, 2015 | ADF

For the most part, every project has tasks related to code quality and software metrics. This process is usually hard to understand, tedious, and subjective to what the person reviewing the code believes is quality code. The project may compile and run as required, but developers will always ask “did we do it right?”.

Traditional testing methods rely on either the programmer or end user to identify and report bugs. This is only a piece of the puzzle as some issues are not apparent immediately. Generally, when a user reports “it is getting slow, so we had to restart” it could mean anything and restarting a server simply masks the issue.

Fortunately, there are tools such as PMD, FindBugs, HP Fortify, and SonarQube that help developers manage code quality and provide feedback on potential issues, duplicate code, and technical debt acquired. Most of the tools focus primarily on bugs and bad practices. On paper, SonarQube seems to provide a more comprehensive approach; they focus not only on bugs but also on documentation, architecture, duplication and test coverage. SonarQube is a free and open source platform used to measure code quality. It gives you a moment-in-time snapshot of your code quality as it is today as well as trending and lagging data. The best part is that it is easily integrated into JDeveloper and you can scan any type of project (SOA, Spring, JAXB, ADF, etc).

SonarQube, in theory, can scan projects written in many different programming languages including Java, C#, JavaScript, XML, and PHP. More on the languages supported can be found here. It sounds pretty amazing and easy to use, so I decided to take it for a spin to see how potentially useful it could be within FMW.

Scanning Code: Execution and Output

Although this can be run from within JDeveloper, I analyzed it using Maven which will compile and scan the code with a single command. I ran the scan using a command window. Simply navigate to your project root and enter ‘mvn sonar:sonar’. The command will first compile your solution and then will perform the scan. Once it is done, you can go to the dashboard to see the results.

The scan gives you a snapshot of your current solution. The overview includes lines of code, number of files, complexity, duplicate code, rating and a calculated technical debt percentage.

Execution and Output

The dashboard has a lot of widgets that you can easily customize to show different types of metrics to suit your needs (i.e number of issues, complexity, code coverage etc). In addition, you can track multiple projects on the same dashboard and get combined metrics for all. I ran a scan for a SOA project, a simple Java-Spring app, and a more complex Java Restful web service.

dashboard view

You can see a predefined dashboard here.


The Verdict

Measuring software quality is still a pretty hard task to quantify. SonarQube tries to use existing tools, metrics and wrap them up on a dashboard that can make issues and software metrics easier to understand and somewhat quantifiable.

The plug in is flexible enough to allow multiple languages to be scanned as well as integrate with Maven and Jenkins. However, it is not a silver bullet. It does a good job scanning your Java code, but I did not find it as good as advertised when it comes to SOA/BPM projects. It does well for ADF projects on the Java code including managed beans and other POJOs you may have. JAX-WS/JAX-RS projects seem to be the ideal candidates to take full advantage of all SonarQube’s capabilities. However SOA, BPM/BPEL, HTML, and XSLTs are a different story.

On all my scans, I did not get any meaningful metrics on complexity and quality. SonarQube does scan XML but it only performs static validations such size and schema validation. The issue with such a basic approach in the BPM/BPEL world is the xml underlying the process isn’t managed by hand.  Therefore, it can be very verbose even when the process itself may be very simple. Nevertheless, SonarQube has a Google group where people can propose new plugins and enhancements. There is already a proposal to develop a plugin that would count activities, transformations, decisions and service references in order to get accurate and meaningful data on SOA projects that include BPEL and BPM processes.

The dashboard is pretty comprehensive. You can deep dive on any on the menus and widgets, scan sections of the code, change the parameters for calculating technical debt and complexity as well as change the look and feel. In addition, it can store the results of each scan on a database and provide historical metrics on any category; Couple that with the ability to interact with Maven and Jenkins (on paper) and you got a solid platform that will give you some context and metrics on code quality

The installation is straight forward and I’ve included the steps below:

Installation of SonarQube: JDeveloper plugin and SonarQube Service

  1. Get the plug-in for JDeveloper: It is not necessary but it makes changing settings and running scans easier. In JDeveloper 12c, go to help → check for updates, include the checkbox for Open Source and Partners Extensions and locate SonarQube. Click next and install it.




  1. Install and Configure SonarQube

    SonarCube can be set up as a startup service. This way it automatically starts whenever you reboot. The service allows you to load up the dashboard to see the reports generated by the scan as well as configure the database to store the results of each scan.

    • Download and install the files here. Make sure to get the newest version for your platform

    • Step by step installation can be found in screencast. The process is pretty simple and by the end of the installation you should be able to load up the Sonar dashboard home page in your localhost.

    • The default url is: https://www.avioconsulting.com/:9000 and default login credentials are admin/admin

    • You should also be able to see sonarQube as an option on JDeveloper when you right click on any project


select SonarQube


  1. Additional Options: There are a few additional features available on this plug in.


    • On JDeveloper go to Tools–Preferences and you will see an option for SonarQube.

    • You can change host settings

    • Store results on the database. This will give you a historical view of the scans made in the past as well as the progress on defects and technical debt incurred. The database setup requires a couple of additional steps such as creating tables and users. Details on installing and setting the database can be found here

    • Analyze using Maven, SonarQube runner or Ant. If you are an Ant-build or plan on using SonarQube runner you would need to download an additional library and place it in the lib directory in the ant installation. More details on both can be found in their Wiki. If you already use Maven, then you are in luck as no extra libraries are needed.

SonarQube is a decent alternative to measure code quality. It provides metrics on code standards, keeps track of code progress, is able to scan all sorts of code ranging from sql to java to html and it is very easy to install and use on JDeveloper. Nevertheless, for SOA or BPM projects it provides little insight and does not really measure true complexity. At the end of the day, code quality is still an inexact science and while imperfect, SonarQube takes a good crack at it by giving you real numbers and good looking dashboards.