DEV Community

Cosmas Gikunju
Cosmas Gikunju

Posted on

10 1

How to add SonarQube Code Coverage to Spring Boot

1. Overview

SonarQube is a self-managed static code analysis tool for continuous codebase inspection provided by SonarSource.

It's a popular choice used by organizations to :

  • Finding and fix bugs and security vulnerabilities in code.
  • Analyze code with Static Application Security Testing (SAST).
  • Detect a broad range of security issues such as SQL injection vulnerabilities, cross-site scripting (XSS) code injection attacks, buffer overflows, authentication issues, cloud secrets detection and much more.
  • Perform branch analysis to spot and eliminate bugs.

You can read more at https://www.sonarsource.com/lp/products/sonarqube/static-code-analysis/

In this article we will look at how to add Coverage to your Spring Boot and Java application.

2. Integrating Sonarqube to your spring boot project

  • Add JaCoCo plugin to your dependencies on the pom.xml file as follows:


<dependency>
    <groupId>org.jacoco</groupId>
    <artifactId>jacoco-maven-plugin</artifactId>
    <version>0.8.11</version>
</dependency>


Enter fullscreen mode Exit fullscreen mode

Work with the version of choice , you can search at Maven Central https://central.sonatype.com/artifact/org.jacoco/jacoco-maven-plugin

  • Then add the following under build plugins:


<build>
   <plugins>
      <plugin>
         <groupId>org.jacoco</groupId>
         <artifactId>jacoco-maven-plugin</artifactId>
         <version>0.8.11</version>
         <executions>
            <execution>
               <id>prepare-agent</id>
               <goals>
                  <goal>prepare-agent</goal>
               </goals>
            </execution>
            <execution>
               <id>report</id>
               <goals>
                  <goal>report</goal>
               </goals>
            </execution>
         </executions>
      </plugin>
   </plugins>
</build>



Enter fullscreen mode Exit fullscreen mode

There is a very good post at https://community.sonarsource.com/t/coverage-test-data-importing-jacoco-coverage-report-in-xml-format/12151 that explains importing JaCoCo coverage report in XML format.

And voila, that's all you need to do.

3. Testing

  • Download and run sonarqube via docker: docker run -d -p 9000:9000 sonarqube

Then access the dashboard at : http://localhost:9000

  • Back at your project directory run mvn clean install to build your code then mvn sonar:sonar to sync to sonarqube.

  • Back at your sonar dashboard you will see your coverage info as follows:

Sonar Dashboard Screenshot

4. Caveat

  • To exclude packages or files from the coverage add them as following in the properties section of your pom.xml :


<properties>
   <java.version>21</java.version>
   <jacoco.version>0.8.11</jacoco.version>
   <sonar.exclusions>**/schemas/**,**/config/**</sonar.exclusions>
   <sonar.coverage.exclusions>**/schemas/**,**/config/**</sonar.coverage.exclusions>
</properties>


Enter fullscreen mode Exit fullscreen mode

Run mvn clean install then mvn sonar:sonar and your coverage will update. If a devops pipeline is set, just push your changes and you will see them at your sonarqube dashboard.

  • You can also add the Sonarlint plugin/extension to your IDE or Code Editor to allow you catch most of the issues before you commit or build.

AWS Security LIVE!

Join us for AWS Security LIVE!

Discover the future of cloud security. Tune in live for trends, tips, and solutions from AWS and AWS Partners.

Learn More

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay