SonarQube DeepScan Plugin

DeepScan provides a SonarQube plugin enabling in-depth analysis for JavaScript and TypeScript in your SonarQube platform.

System Requirements

Operating System

  • Windows
  • Linux

SonarQube

  • Version 6.7 and above

Java

  • Oracle JRE 8 and above
  • OpenJDK 8 and above

Installation

Let's say you installed SonarQube in /etc/sonarqube.

Installing the plugin

Copy the SonarQube DeepScan plugin into the SonarQube plugins directory and restart the SonarQube server.

cp sonar-deepscan-plugin-x.x.x.jar /etc/sonarqube/extensions/plugins

When the SonarQube server is up and you log in with an administrator account, you will see the plugin information in Administration > Marketplace.
Marketplace

Registering the license

A license key is required to run the SonarQube DeepScan plugin. If a valid license key is not registered, license errors will occur when executing the SonarQube analysis.

In DeepScan tab of Administration > Configuration > General Settings > Licenses, enter and save the license key in the License field.
License

Setting the default Quality Profile

Once installed, you can go to Quality Profiles and see the DeepScan way quality profile under JavaScript.

However, it is not the default profile so DeepScan does not apply when analyzing JavaScript projects. You can set the project's quality profile separately, but if you set the DeepScan way as the default one, then it will apply to all the projects.

To set the default quality profile, log in with administrator permissions and click Set as Default menu on the right of the profile.
Set as Default

When you click the number under Rules, you can view the list of DeepScan rules.
DeepScan Rules

Upgrading

Delete the existing plugin and follow the above installation process with the new plugin file.

SonarQube apply the newly added DeepScan rules in the upgraded plugin.

However, if you have used a new profile which modifies the previous profile (such as a severity), click Activate More button to activate more rules.

  1. Select Repository > DeepScan in the left panel.
  2. In the list of rules on the right, click Activate button for the rule to activate.
Activate Rules

Uninstalling

You can delete an existing plugin in two ways.

  • Delete the plugin file from the plugins directory and restart the SonarQube server.
  • In Administration > Marketplace, click Uninstall button that appears at the right of the installed DeepScan plugin.

Uninstall

Analysis

Analyzing a project

SonarQube consists of a SonarQube server (providing a database and dashboard) and a SonarQube Scanner (a tool analyzing codes and sending the results to the server).

So, to analyze your project, run the SonarQube Scanner.

Let's say you installed SonarQube Scanner in ~/sonar-scanner.

  1. Create a sonar-project.properties file in the project folder to analyze. (If you use other tools such as Maven, just follow the ways of those)
  2. Run the following command in the project folder.
    ~/sonar-scanner/bin/sonar-scanner
  3. After the analysis is completed, the results are sent to the SonarQube server.
  4. Browse the results at the SonarQube.

An example of sonar-project.properties file is as follows:

  • Source files are located in the src folder.
  • SonarQube server is at http://sonar.deepscan:9000 and login account is "deepscan".
  • Display the project as "wordswarm-web" in the dashboard.
  • Exclude src/examples and src/vendors folders from the analysis.
# Required metadata
sonar.projectKey=wordswarm
sonar.projectName=wordswarm-web
sonar.projectVersion=1.0

# SonarQube server url
sonar.host.url=http://sonar.deepscan:9000

# SonarQube account if authentication is required
sonar.login=deepscan
sonar.password=deepscan

# Comma-separated paths to directories with sources (re-quired)
sonar.sources=src

# Comma-separated modules
#sonar.modules=module1
#module1.sonar.sources=src

# Comma-separated paths to exclude
sonar.exclusions=src/examples/*,src/vendors/*

# Language
sonar.language=js

# Encoding of sources files
sonar.sourceEncoding=UTF-8

Properties

Properties for the SonarQube analysis can be set in sonar-project.properties file or -Dkey=value arguments when running the SonarQube Scanner.

The general properties are as follows. You can refer a SonarQube documentation for more details.

Property Required Description
sonar.projectKey O Unique project ID
sonar.projectName Project name
sonar.projectVersion Project version
sonar.host.url Server URL
sonar.login Login account
sonar.password Login password
sonar.sources O Comma-separated folders of JavaScript sources
sonar.modules Comma-separated modules
Note: Deprecated above SonarQube 7.6
It can also be used with sonar.sources property of a project, but DeepScan has the constraint that only the module values are stored rather than a project. Therefore, when using sonar.modules property, it is recommended to configure only sonar.modules.
sonar.modules=module1
module1.sonar.sources=src
module1.sonar.projectName=test_module
module1.sonar.projectBaseDir=/home/deep_test
sonar.exclusions Comma-separated files or folders to exclude. Relative to the project folder.
You can refer a SonarQube documentation for more details.
sonar.language Language of source files
  • JavaScript/TypeScript: js (Refer Analysis Target)
  • Not specified: Multi-language project
sonar.sourceEncoding Encoding of source files
sonar.deepscan.enable Whether to run DeepScan. When set to false and run, previously detected issues will be changed as fixed.

Analysis Target

DeepScan analyzes the following JavaScript and TypeScript files:

  • JavaScript: *.js, *.jsx
  • TypeScript: *.ts, *.tsx
  • Vue.js: *.vue
  • ES6 Modules: *.mjs

However, the SonarQube DeepScan plugin is limited by the file extensions settings on the server, specify the extension you want as follows:

  1. Set the language of analysis to js. (sonar.language=js)
  2. Specify the file extensions for JavaScript on the server: In Administration > General Settings > JavaScript, set File Suffixes to .js, .jsx, .ts, .tsx, .vue, .mjs.

File Suffixes

Exclusion

The following files are not analyzed by default in the plugin:

  • All files under node_modules and bower_components directory.
  • Minified file: *.min.js, *-min.js, *_min.js or when average line length is greater than 200.
  • Automatically generated *.js files from TypeScript files.
  • Files over 30,000 lines.
  • Files over 1.5 MB in size.
  • Lines with length greater than 400.

CI Integration

SonarQube Scanner can be run in the various environments such as Jenkins, Maven, and Gradle.

You can refer a SonarQube documentation and configure it according to your workflow.

Rule Set

You can find all of DeepScan rules in Quality Profiles > JavaScript > DeepScan way.

Category

The categories of DeepScan rules correspond to SonarQube as below:

DeepScan SonarQube
Error BUG
Code Quality CODE_SMELL

Severity

The impacts of DeepScan rules correspond to the severities of SonarQube as below:

DeepScan SonarQube
High CRITICAL
Medium MAJOR
Low MINOR

Note that the severity of an issue follows the severity of the corresponding rule.

For example of CONSTANT_CONDITION rule, DeepScan detects it as Medium or Low impacts depending on the context, but all issues have a MINOR severity defined in the SonarQube server. This is because the issue should have the severity which can be changed by a user.

Changing the Issue Severity

Developers and reviewers can configure the issue severity depending on their context or priority.

You can change it to any severity from the detected issue. Below is an example of changing the issue from Critical to Major severity.
Severity

Changing the Rule Severity

When you want to change the rule severity itself, you need to create a profile derived from DeepScan profile and change it.

A child profile inherits the rules of the parent profile and can set different severities. However, you can not deactivate a rule.

Below is an example of creating a child profile to change the rule severity.

  1. Create a new JavaScript profile by clicking Quality Profiles > Create button. Enter a name and click Create button.
    Create a new JavaScript profile
  2. Click Change Parent button of the newly created profile to set the parent profile to DeepScan way.
    Change parent
  3. All the rules of DeepScan way are inherited. Click on the rule to modify.
  4. In the rule details, you can change the rule severity by clicking Change button and set a new severity.
    Change the rule severity
  5. Set the project's JavaScript profile to a newly created one through the project menu Administration > Quality Profiles.
    Reanalyze
  6. Then analyze the project again.

Changing the Rule Set

If you want to exclude some DeepScan rules, you can create a new profile inheriting the DeepScan profile and deactivate rules, or create a new empty profile and add only the rules you need.

Below is an example of creating a new profile and adding rules to apply:

  1. Create a new profile by clicking Quality Profiles > Create button.
  2. Click Activate More button of the newly created profile.
  3. Click Repository on the left and select "DeepScan".
  4. Click Activate button for the DeepScan rule to apply.

Dashboard

Measures

Measure Description
Analyzed Code Lines Lines of code (number of lines excluding comment / blank)
Analyzed Total Lines Total number of lines
Files Number of files analyzed
High Impact Number of issues with high impact
Medium Impact Number of issues with medium impact
Low Impact Number of issues with low impact
Issues Number of all issues
Rating DeepScan provides a grade which represent the quality status of your project.
For more information, you can refer to Grade Rating.