Building Continuous Code Quality through SonarCloud

Code review is a systematic process to verify and check the produced code. To start with the basics, the manual code review entails reading the source code line by line to look out for vulnerabilities. This process demands a lot of skills, experience, and patience. Also, issues like buffer overflows, dead code, and other subtle mistakes are tough for a human reviewer to find and are better suited to automated analysis. This article brings forward some ways on how we can automate our code review process through SonarCloud and our success journey of how we achieved our goal of:

• Continuous inspection of overall health.
• Centralized code quality management.
• Enforce code quality through the quality gate in our organization.

Why SonarCloud

We analyzed the various tools that are available in the market and after scrutinizing, one tool stood out amongst all. SonarCloud readily integrates with our source control, Bitbucket. SonarSource hosts SonarCloud in AWS and is the easiest path to scan our codebase in minutes. SonarSource does all the heavy lifting for SonarCloud, so we don’t have to worry about installation or maintenance. SonarCloud not only meets our core requirements but also has additional features built into it.

• Dashboard: Overall quality health of all projects at a glimpse.
• Quality Gate: Go/No-Go gate for a new version of the project.
• Tracking: Gives you a moment-in-time snapshot of your code quality today.
• Integration with our CI Engine: SonarCloud integrates with CircleCI out of the box.

Start Small

After we integrated sonar with our source code, SonarCloud has pre-defined rules built in for every language. We examined all the pre-defined rule-sets and picked the most important and suitable ones that suit our needs.

Pilot Run Analysis

We selected a couple of projects from our engineering teams and requested them to scan their projects against the defined rules set and quality gate. We also asked the respective teams to look into the issues reported and to provide us with their feedback. Based on their response, we readjusted the baseline of the ruleset with the changes in activating/deactivating the rules, changing the severity, etc.

We also found that the confidence level of approving a pull request (PR) is high because of static code analysis. The analysis is simple for the teams to follow through. SonarCloud will decorate the PR with the new/changed code, so we get the right info at the right time.

Roll-Out

After getting positive feedback from the pilot run, we rolled it out across all the projects. Though there was some hesitancy, we have soon realized the value, and now it has become the regular practice of analyzing the code and approving the PR more confidently.

How does SonarCloud work with our CI/CD?

As we see from the image above, after developer pushed code on a remote branch and creates a PR, the CI process gets triggered in our CircleCI build pipeline. We put the SonarScanner in of the jobs that generate the test coverage jobs. After this, the SonarScanner runs to collect all the static analysis and test report/coverage and pushes all the collected information to the SonarCloud.

The scanner will then send the report to SonarCloud. SonarCloud will match these reports against the pre-defined quality gates and notify CircleCI to pass or fail the PR.

How we fixed a security issue through a quick feedback loop

When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that the software will generate and use this guess to impersonate another user or access sensitive information.

As you can see from the screenshot above, in the pull request, the Math.random() function relies on a weak pseudo-random number generator. We should not use this function for security-critical applications or for protecting sensitive data.

Code Complexity

SonarCloud raises Cognitive Complexity issues on code that’s structured in a way that is hard to understand. From our experience, we found that complex code is more likely to be buggy and will need to be rewritten within 3–6 weeks. This results in a high code churn rate. By getting code complexity analysis within the PR, we can now raise concerns during the code review process.

Summary

How have we benefited so far?

1. Significant effort spent on manual code review (static) is now being avoided.
2. It improved the quality of the code by reducing code complexities, security, duplications in the code.
3. Through our CircleCI integration, analysis is now automated and makes code easy to review.

Do you want to be part of Shippo Engineering? View our openings!