Integrating with SonarQube

August 27, 2014 By Brian Fox

3 minute read time

Update: Sonatype now has it's own code quality service: Sonatype Lift.

_thumb_63490

Many development organizations we work with have turned to SonarQube as a dashboard to visualize and measure their code quality.

Customers using CLM want to surface known security vulnerabilities and license risk in the same place developers or executives already go to assess the overall quality of their application. To support this growing interest from our customers, we are introducing our next important milestone: Sonatype CLM’s integration with SonarQube.

Screen Shot 2014-08-26 at 9.15.17 AM

Figure 1. SonarQube widget example highlights open source policy violations that require attention. Drill down reports with with detailed analysis are accessible directly from this widget.

 

This integration will allow you to access summary-level Sonatype CLM information for your applications, as well as link to Sonatype CLM Application Composition Reports directly from your SonarQube projects.

Screen Shot 2014-08-26 at 9.51.44 AM

Figure 2. Sonatype CLM Application Composition Reports offer detailed analysis of license and security issues down to the individual components and risks.

Better component usage doesn’t just lead to risk reduction though, it also leads to better applications. This is something that ties closely with code analysis, and tools such as SonarQube.

If you are already using SonarQube, you know first hand the impact that principles such as the 7 Axes of Code Quality can have on the applications and projects your teams create. Paralleling this, as a user of Sonatype CLM you also know how using good components is a critical and essential part of developing quality applications. Sonatype CLM for SonarQube brings both of these together.

  1. THE SOFTWARE: For Sonatype CLM users needing access to the 1.11 release, it can be found on our KnowledgeBase here.

  2. THE INTEGRATION: For Sonatype CLM users looking for more information on the SonarQube integration, you can quickly get up-and-running with our online guides.

  3. LEARN MORE: What to learn more about SonarQube? Here is an informative article I found from Nadeem Mohammad.

Finally, if you are looking for information on how Sonatype CLM integrates into your complete development environment, here are some links that you might find helpful:

Tags: Sonatype Says, Nexus, Hudson, Everything Open Source, Sonar, Dashboard, plug-in, SonarQube, Maven, clm, jenkins, code, quality, AppSec Spotlight

Written by Brian Fox

Brian Fox is a software developer, innovator and entrepreneur. He is an active contributor within the open source development community, most prominently as a member of the Apache Software Foundation and former Chair of the Apache Maven project. As the CTO and co-founder of Sonatype, he is focused on building a platform for developers and DevOps professionals to build high-quality, secure applications with open source components.