SonarQube -- Documentation (Draft)

# SonarQube -- Documentation (Draft) :::warning This is just a start of the documentation for Seraphin. Essentially all of the documentation for sonarqube / sonarlint is already existing so here should only be the basics of setup up the usage for ::: SonarQube is a solution for static code analysis with integrated reporting through an interface. See more on their [official website](https://docs.sonarqube.org/latest/). You can access Seraphin's SonarQube portal at https://sonarqube.seraphin-legal.fr/. You do not need to be connected to the Seraphin VPN while interacting with it. ## Setting up your usage of SonarQube and SonarLint. ### What is SonarLint? SonarLint is a VisualStudio extension that enables to use the static analysis rules set configured on a SonarQube to identify potential bugs, code smells, vulnerabilty issues, etc... , and to manage found issues within a team. You can find out more on the [Visual Studio market place](https://marketplace.visualstudio.com/items?itemName=SonarSource.SonarLintforVisualStudio2022) or on the [SonarLint Github](https://github.com/SonarSource/sonarlint-visualstudio/wiki). :::info You will be able to access new windows in VisualStudio, however i found them ultimatly useless. * SonarLint issue Visualzation -> useless (check the dock for what it can do) * SonarLint security hotspot -> extremely rare usage, spots some security issues that could be detected by static analysis * Dotnet is a pretty reliable language and security issues related to code are pretty rare, except when they are coded in. * SonarLint Taint Vulnerablities -> useless (check the docs for what it can do) ::: ### Setting you up. * First and foremost, ask for an account to be created on Seraphin's SonarQube, you can contact [Stanislas Sokolov] to set up an account and assign you to your team. Once you received your user name and password, you will be able to connect to the sonarqube and access reports on your teams projects. * If you are a Team Leader, ask to be assigned the right permissions to create projects for your team. * Install the SonarLint Extension, and follow the [documentation](https://github.com/SonarSource/sonarlint-visualstudio/wiki/Connected-Mode) in order to connect your VisualStudio to SonarQube. You will be asked to input: * the SonarQube server: https://sonarqube.seraphin-legal.fr * Your Username and Password. :::warning If you fail to connect, it might crash your Visual Studio. ::: * From there you will be able to access your teams projects and bind the current project you are working currently on. This will add `.sonarlint` directory to your project, and a reference to a `SonarLint.xml` file in each of your `.csproj` files. :::info * You could add the Sonarlint to the `Directory.build.props`, however when i tried, it didn't work, so i ll have to try again. * The `.sonarlint` directory should be pushed to your repository. ::: :::info # Setting up SonarQube for Seraphin **To correctly use SonarQube, some things must be decided in order to add it to the development cycle of project in Seraphin. This is out of my scope, however i could advise on some ways to do it.** * SonarQube has the power to homogenize coding practices/ rules to a company. * However, for that to work we would need to homogenize Seraphin's devops workflow. * ideally would be to include it in CIs of projects. * Takes like 20minutes on the current agents on small projects (sps-backend for instance). This would need to be used only when needed or use our own workers (like dramaqueen) but it would requiere making those agents efficient for this task. * Or if we just want to satisfy a client a say we use SonarQube and show some screenshots of the default configurations provided by sonarqube, we can upload and run local static analysis. To do this, it is pretty simple, just create a project on sonarqube and the documentation to this will be issued to you directly. * Limitations to the Community edition. * Essentialy each project could only work with a single branch (this branch must be named `main`). If we choose to have a trunck based branching strategy (and using release pipelines more efficiently to upload to different environments. I could go on and on about this here but the most important point i would need to make is that we need to standardize a devops cycle proper to Seraphin.) ## Brief overview of what needs to be done. * Review the current rule sets, adapt to Seraphin's Coding style. * Some rules could be issued as Wanring, other as Errors (meaning code will not be compiled). * A lot of configuration could be done. * Create Quality profiles or use the default one. * Quality profiles can be associated to projects in order for the projects to follow a specific profile. * Create Quality gates * Quality gates can be associated to projects, and are pretty much quality scores to be respected. Each time a analysis is uploaded, the project has either passed or not the quality gate. Could be set as a requirement for production for instance. ## Reports that can be communicated to the clients * There is an integrated way to produce PDF reports that could be used to show Code Quality to clients but the [*Enterprise Edition*](https://www.sonarqube.org/enterprise-edition/) is necessary. * Otherwise giving access to clients to the sonarqube directly sounds bad, as it will give them the possibilty to see source code. :::