SonarQube Plugin

• Windows
• Linux

• Version 7.9 and above

• Oracle JRE 8 and above
• OpenJDK 8 and above

Copy the SonarQube DeepScan plugin into the SonarQube plugins directory and restart the SonarQube server.

cp sonar-deepscan-plugin-x.x.x.jar /opt/sonarqube/extensions/plugins

When the SonarQube server is up and you log in with an administrator account, you will see the plugin information in Administration > Marketplace.

A license key is required to run the SonarQube DeepScan plugin. If a valid license key is not registered, license errors will occur when executing the SonarQube analysis.

In DeepScan tab of Administration > Configuration > General Settings > Licenses, enter and save the license key in the License field.

Once installed, you can go to Quality Profiles and see the DeepScan way quality profile under JavaScript and TypeScript.

However, it is not the default profile so DeepScan does not apply when analyzing JavaScript/TypeScript projects. You can set the project's quality profile separately, but if you set the DeepScan way as the default one, then it will apply to all the projects.

To set the default quality profile, log in with administrator permissions and click Set as Default menu on the right of the profile. This should be applied for each of JavaScript and TypeScript languages.

When you click the Rules column value of DeepScan way, you can view the list of DeepScan rules.

Delete the existing plugin and follow the above installation process with the new plugin file.

SonarQube apply the newly added DeepScan rules in the upgraded plugin.

However, if you have used a new profile which modifies the previous profile (such as a severity), click Activate More Rules button to activate more rules.

Now, you are in the Rules tab, where you can select rules to activate as follows:

1. Select Repository > DeepScan in the left panel.
2. In the list of rules on the right, click Activate button for the rule to activate.

You can delete an existing plugin in two ways.

• Delete the plugin file from the plugins directory and restart the SonarQube server.
• In Administration > Marketplace, click Uninstall button that appears at the right of the installed DeepScan plugin.

SonarQube consists of a SonarQube server (providing a database and dashboard) and a SonarQube Scanner (a tool analyzing codes and sending the results to the server).

So, to analyze your project, run the SonarQube Scanner.

Let's say you installed SonarQube Scanner in ~/sonar-scanner.

1. Create a sonar-project.properties file in the project folder to analyze. (If you use other tools such as Maven, just follow the ways of those)
2. Run the following command in the project folder.

   ~/sonar-scanner/bin/sonar-scanner

3. After the analysis is completed, the results are sent to the SonarQube server.
4. Browse the results at the SonarQube.

An example of sonar-project.properties file is as follows:

• Source files are located in the src folder.
• SonarQube server is at http://sonar.deepscan:9000 and login account is "deepscan".
• Display the project as "wordswarm-web" in the dashboard.
• Exclude src/examples and src/vendors folders from the analysis.

# Required metadata
sonar.projectKey=wordswarm

# Optional project properties
sonar.projectName=wordswarm-web
sonar.projectVersion=1.0

# SonarQube server url
sonar.host.url=http://sonar.deepscan:9000

# SonarQube account if authentication is required
sonar.login=deepscan
sonar.password=deepscan

# Comma-separated paths to directories with sources (optional)
sonar.sources=src

# Comma-separated paths to exclude
sonar.exclusions=src/examples/*,src/vendors/*

# Encoding of sources files
sonar.sourceEncoding=UTF-8

Properties for the SonarQube analysis can be set in sonar-project.properties file or -Dkey=value arguments when running the SonarQube Scanner.

The general properties are as follows. You can refer a SonarQube documentation for more details.

DeepScan analyzes the following JavaScript and TypeScript files:

• JavaScript: *.js, *.jsx
• TypeScript: *.ts, *.tsx
• Vue.js: *.vue
• ES6 Modules: *.mjs

The following files are not analyzed by default in the plugin:

• All files under node_modules and bower_components directory.
• Minified file: *.min.js, *-min.js, *_min.js or when average line length is greater than 200.
• Automatically generated *.js files from TypeScript files.
• Files over 30,000 lines.
• Files over 1.5 MB in size.
• Lines with length greater than 400.

SonarQube Scanner can be run in the various environments such as Jenkins, Maven, and Gradle.

You can refer a SonarQube documentation and configure it according to your workflow.

DeepScan internally applies the same rules for JavaScript/TypeScript files. However, SonarQube separates them into different languages. So, one DeepScan rule corresponds to SonarQube rules for JavaScript and TypeScript. For example, the INSUFFICIENT_NULL_CHECK rule corresponds to SonarQube rules as below:

• deepscan-js:INSUFFICIENT_NULL_CHECK
• deepscan-ts:INSUFFICIENT_NULL_CHECK

The categories of DeepScan rules correspond to SonarQube as below:

The impacts of DeepScan rules correspond to the severities of SonarQube as below:

Note that the severity of an issue follows the severity of the corresponding rule.

For example of CONSTANT_CONDITION rule, DeepScan detects it as Medium or Low impacts depending on the context, but all issues have a MINOR severity defined in the SonarQube server. This is because the issue should have the severity which can be changed by a user.

Developers and reviewers can configure the issue severity depending on their context or priority.

You can change it to any severity for each detected issue. Below is an example of changing the severity from Major to Minor.

When you want to change the rule severity itself, you need to create a profile derived from DeepScan way profile and change it.

A child profile inherits the rules of the parent profile and can set different severities. However, you can not deactivate a rule.

Below is an example of creating a child profile to change the rule severity.

1. Create a new profile inheriting DeepScan way by clicking Quality Profiles > Create button.
   
2. All the rules of DeepScan way are inherited. Click on the rule to modify.
3. In the rule details, you can change the rule severity by clicking Change button and set a new severity. Below is an example of changing Minor severity to Major:
   
4. Set the project's JavaScript profile to a newly created one through the project menu Project Settings > Quality Profiles.
   
5. Then analyze the project again.

If you want to exclude some DeepScan rules, you can copy DeepScan way profile and deactivate unwanted rules, or create an empty profile and add only the rules you need.

Below is an example of creating an empty profile and adding rules having CRITICAL and MAJOR severities:

1. Select Create a blank quality profile after clicking Quality Profiles > Create button.
2. Select Activate More button of the newly created profile.
3. Select Repository > DeepScan in the left panel.
4. Select Default Severity > Critical in the left panel.
5. Additionally select Default Severity > Major in the left panel with Ctrl + click.
6. Click Bulk Change button at the top to add the selected rules to the new profile.