SonarQube with Maven Integration: Quality Gates, Profiles, and Administration

1. SonarQube Flow

1. First, when you run the command:
   mvn sonar:sonar

2. Now, Sonar Scanner starts working:
   It scans the source code of your project.

3. It checks:

   • What type of code (Java, Python, etc.)

   • What quality issues are there (bugs, smells, etc.)

4. After scanning, it sends the report to the SonarQube Server.

5. In the SonarQube server:

• Compute Engine takes the report and analyzes it deeply.

• Web Server helps to display results in browser.

• Search Server supports searching inside results.

6. Then, final results are stored in SonarQube Database.

• From browser, developer can see:

  • Bugs

  • Vulnerabilities

  • Code Smells

  • Coverage

  • Duplications

2. Common Bug in SonarQube: Server Not Actually Starting

Problem Summary:

When you start the SonarQube server with the root user, it shows "Started", but the server doesn't actually run in the background. Wrong Way (Using root):

sudo su -
cd /opt/sonarqube/bin/linux-x86-64
sh sonar.sh start      # It says 'SonarQube started' 
sh sonar.sh status     # But shows: 'SonarQube is not running'

• Many users make the mistake of trusting the “Started” message but the service hasn’t actually started.

What People Usually Do After That:

They switch to the sonar user and try again:

su - sonar
cd /opt/sonarqube/bin/linux-x86-64
sh sonar.sh start
sh sonar.sh status      #  Still shows 'SonarQube is not running'

• Even though this is the correct user, SonarQube still doesn’t start properly because the root issue hasn’t been fixed yet.

3. Check Logs to Find Root Cause

After starting SonarQube with the correct user, if it still shows: SonarQube is not running

check the logs.

Step 1: Go to the logs directory

• Check the sonar.log

cd /opt/sonarqube/logs
cat sonar.log

• This means Elasticsearch failed and caused the whole SonarQube startup to stop

Root Cause:

• In most cases, this happens because the temp directory was created by root, and now sonar user doesn’t have permission to write to it.

• This means the temp directory is causing the startup to fail.

Step 2: Go to the temp directory

cd /opt/sonarqube/temp/

• You may see folders like conf and sharedmemory, and inside conf/es, files like elasticsearch.keystore, elasticsearch.yml, jvm.options, and log4j2.properties.

These files are created by the root user and block proper startup when using the sonar user.

Step 3: Final Fix: Clean the temp directory

cd /opt/sonarqube
sudo rm -rf /opt/sonarqube/temp/

Then, start SonarQube again with sonar user:

su - sonar
cd /opt/sonarqube/bin/linux-x86-64
sh sonar.sh start
sh sonar.sh status

Now it should show:

• Now it should show: SonarQube is running

• Now you can access SonarQube.

---

4. Integrate SonarQube in Maven Project

Why do we need to integrate SonarQube into a Maven project?

SonarQube is used to:

• Analyze code quality

• Detect bugs and vulnerabilities

• Identify code smells

To perform this, SonarQube should connect with the Maven project so that it can generate a report and display it in the SonarQube web dashboard.

Step 1: Connect to the Maven Server

Go to the server where your Java/Maven project is available.

Step 2: Update pom.xml with SonarQube details

Why do we update pom.xml?

Because Maven must know:

• Where is SonarQube running → Server URL (IP:Port)

• Who is sending the report → Username/password or token

Update your pom.xml :

<properties>
  <sonar.host.url>http://43.205.231.25:9000</sonar.host.url>
  <sonar.login>admin</sonar.login>
  <sonar.password>password</sonar.password>
</properties>

• If the build is successful, the SonarQube report will be generated and pushed to the SonarQube server.

---

Step 3: View the Report on SonarQube

• Open the SonarQube Web UI

• Go to the Projects TabHere,

• You'll see the list of all scanned projects.

• Click on your project name to view detailed results.

What You Will See in the Report:

• Bugs – Code mistakes that could lead to errors.

• Vulnerabilities – Security-related issues.

• Code Smells – Maintainability issues or bad practices.

• Duplications – Repeated code blocks.

• Code Coverage How much code is covered by unit tests.

Go to the Issues Tab

• Shows all issues identified across files.

• You can filter by type (Bug, Smell, etc.), severity, and status.

Estimated Time to Fix

• SonarQube also shows the estimated Time to Fix each issue.

• This helps developers plan how long it may take to resolve all problems.

---

5. Secure Token Authentication (Avoid Hardcoding Credentials)

Problem

Hardcoding SonarQube username & password in pom.xml is not secure.

1. Solution: Use SonarQube Token

• Generate Token:

• Navigate to: Administration → Security → Users → Tokens

• Enter a token name and click “Generate”

• Enter a token name and click “Generate”

• Copy the token (e.g., squ_abcdef123456...) and save it securely

2. Update pom.xml:

Remove this line:

<sonar.password>password</sonar.password>

Replace the username value with your token:

<sonar.login>squ_1234567abcdefgh</sonar.login>

That means:

• sonar.login → will now hold the token (not the username)

• sonar.password → should be removed

3. Run the goal Again:

mvn clean sonar:sonar

After successful execution, you can view the updated report on the SonarQube dashboard.

---

6. How to Change SonarQube Default Port

You can change the default port SonarQube runs on (9000) by modifying its configuration file. You can also set a custom context path if needed.

Step 1: Open Configuration File

cd /opt/sonarqube/conf
vi sonar.properties

Step 2: Modify the Port

Note: Make sure to remove the # at the beginning. If you don't, SonarQube will still run on the default port 9000.

Step 3: Restart SonarQube Server

sh sonar.sh restart

Step 4: Update the New Port in Maven pom.xml

• Go to your project's pom.xml and update the new port under <sonar.host.url>:

• If you don’t update it, Maven will try to send the report to default port 9000, and you’ll get an error like: Unable to reach SonarQube server at http://<ip>:9000

Step 5: Add Port to Security Group

Step 6 : Access with New Port

• Open your browser and access the SonarQube dashboard using the new port.

• You should now see the SonarQube dashboard on the new port.

---

7. Quality Profiles

A Quality Profile is a set of rules that will be applied during the code scan.

How to Create a Custom Profile

• Go to Quality Profiles → Click Create

• In the popup:

• Select Language: for example, Java

• Profile Name: kksonar

• Choose: Create a blank quality profile (This option gives you full control and starts with no active rules)

• Click: Create

• After creating the kksonar profile, you can find it in Quality Profiles → Select kksonar.

• Click on “Activate More Rules” to add your own custom rules.

• Choose the rules you want

• Click on “Activate”

• This will add those selected rules to your custom profile

• You'll see Major, Minor, etc., and you can select rules based on severity and activate them into your custom profile.

• You can also deactivate the activated rule.

Attach Quality Profile to Your Project

After creating and customizing your Quality Profile (e.g., kksonar), follow these steps to attach it to your project:

• Go to Projects tab from the SonarQube dashboard.

• Select your project → Click on "Project Settings"

• Navigate to Quality Profiles under settings.

• For Language (e.g., Java),

• select your custom profile from the dropdown e.g., kksonar.

• Save the changes.

---

8. Quality Gates

What is a Quality Gate?

A set of conditions (ex: coverage %, duplication %) to ensure code quality.

Steps to Create

• Go to Quality Gates

• Click Create, give it a name (e.g., mavenwebapp-qg), and save it.

Step 2: Unlock Editing

1. Click on your new gate (like mavenwebapp-qg).

2. Click "Unlock editing" button

• Now you can add conditions, like:

• To apply for the entire codebase, select: On overall code.

• Coverage should be greater than 80%

• Code Smells, Bugs, Vulnerabilities should be 0 or severity-based

• Duplications less than 3% etc.

• You can start adding conditions based on your project’s standards:

Assign Quality Gate to a Project

To apply your custom Quality Gate (like mavenwebapp-qg) to a specific project:

Go to Projects

• Select your project

• Click Project Settings

• Choose Quality Gates

• From the dropdown, select your custom gate (e.g., mavenwebapp-qg)

• Click Save

9. Administration Settings

How You Can Use Users, Groups & Permissions in SonarQube

• In SonarQube, you can create users (like your teammates).

• You can also create groups (like: devs, testers, managers, etc.).

• Then you can add users into those groups.

• After that, you can set permissions to the group (like: who can view reports, who can change settings, who can run analysis, etc.).

• So, any user inside that group will automatically get those permissions.

Step 1: Create Users

• Go to: Administration → Security → Users → Create User

• Example: Create user mahesh

• Now Mahesh can log in, but he is not an administrator (he has no special permissions yet)

Create Another User

Example: Create user sai

Step 2: Create Groups

Go to: Administration → Security → Groups → Create Group

• Create two groups:

• developers

• devops

Step 3: Set Global Permissions for Groups

• Go to: Administration → Security → Global Permissions

• Select the group (like developers or devops)

• Give permissions like:

• Adminstration

• Browse Projects

• See Reports

• Run Analysis

Step 5: Add Users to Groups

• Go to: Administration → Security → Groups → [Select Group] → Add Members

• Add:

• Mahesh to devops

• Sai to developers

---

Step 6: Check Group Membership

• Go to: Administration → Security → Users

• You can now see:

• Mahesh → Member of devops developers

• Sai → Member of developers

• Now they will get only the permissions given to their group.