sonarQube安装及本机扫描C#项目
2021-01-08 07:28
因项目需要,需要使用sonarQube对代码进行扫描并查看,因对sonarQube不熟悉,所以先在本机搭建测试环境。
参考了张老师的博客:http://www.cnblogs.com/danzhang/p/5205610.html
参考百度文库文章:http://wenku.baidu.com/view/088e5b1b6edb6f1aff001fc0.html?from=search
运行sonarQube之前,需要本机已经安装JDK及mysql
JDK:因为sonarQube是使用Java开发的,那么相应的肯定需要有JDK运行环境。安装步骤请参考《JDK Windows安装》
mysql:作为一个可运行的系统,需要将数据保存在数据库,以便下次查看。系统不只支持mysql,还支持SQL Server/Oracle等
关于JDK和mysql的安装,可以参考其中的文章。
首先在mysql中执行一段脚本,这段脚本的意思是
1.创建sonar命名的DB,并指定密码同为sonar
2.创建soanr用户
3/4将sonar这个DB的所有对象授权给sonar这个用户,且都指定口令为sonar,并同时指定只能从localhost和%登陆
CREATE DATABASE sonar CHARACTER SET utf8 COLLATE utf8_general_ci; CREATE USER ‘sonar‘ IDENTIFIED BY ‘sonar‘; GRANT ALL ON sonar.* TO ‘sonar‘@‘%‘ IDENTIFIED BY ‘sonar‘; GRANT ALL ON sonar.* TO ‘sonar‘@‘localhost‘ IDENTIFIED BY ‘sonar‘; FLUSH PRIVILEGES;
- 下载sonarQube和sonarQube Scanner
参考地址:http://docs.sonarqube.org/display/SONAR/Get+Started+in+Two+Minutes
我现在能够下载的sonarQube最新版本是6.1,sonarQube Scanner最新版本是2.8
下载至本地后就只是两个压缩包
- 解压sonarQube和sonarQube Scanner文件
将下载的zip文件解压至本地,这里我解压至C盘,
C:\sonarqube (解压的是sonarQube)
C:\sonar-scanner (解压的是sonarQube Scanner)
- 配置sonarQube
首先配置sonarQube,解压好的sonarQube目录有几个文件夹:
- bin:sonarQube运行命令文件夹
- conf:sonarQube配置文件夹
- data:(暂时不清楚功能)
- extensions:sonarQube的插件等存放文件夹
- lib:sonarQube存放的运行库文件(jar)
- logs:sonarQube日志文件夹
- temp:sonarQube临时文件夹
- web:sonarQube系统UI界面文件夹
首先进入至conf文件夹,原本在里面就存一个配置文件sonar.properties,但其中的节点都是使用#注释的,我们只需要将节点前面的#删除,该节点即可起效
节点
sonar.jdbc.usename:连接至mysql的用户名(上一节DB新增并授权用户名sonar)
sonar.jdbc.password:连接至mysql的口令(上一节DB新增并授权用户密码sonar)
sonar.jdbc.url:连接至mysql的地址(一般来说,mysql与sonarQube都是安装在同一台机器,所以这里一般都是使用localhost,默认使用的是3306端口,如不在同一台机器,应该使用对应的IP地址,当然,上一节新增的用户也需要对相应的访问地址进行授权)
节点
sonar.web.port:系统运行的端口,现在是安装在本机,当系统配置完成后,将使用http://localhost:9000/进入系统
节点
sonar.updatecenter.activate:sonarQube原本就运行了很多的插件,有的插件会有更新,系统允许我们将插件进行更新(在系统中下载,并未真正更新原有的插件),
如将此节点打开,下次启动是,系统会自动更新为最新的插件(系统允许自动重新启动,但未试到,现在在系统中更新插件后可以重新启动)
节点
sonar.log.roolingpolicy:关于sonarQube的日志关于日期的格式
# Property values can: # - reference an environment variable, for example sonar.jdbc.url= ${env:SONAR_JDBC_URL} # - be encrypted. See http://redirect.sonarsource.com/doc/settings-encryption.html #-------------------------------------------------------------------------------------------------- # DATABASE # # IMPORTANT: the embedded H2 database is used by default. It is recommended for tests but not for # production use. Supported databases are MySQL, Oracle, PostgreSQL and Microsoft SQLServer. # User credentials. # Permissions to create tables, indices and triggers must be granted to JDBC user. # The schema must be created first. sonar.jdbc.username=sonar sonar.jdbc.password=sonar #----- Embedded Database (default) # H2 embedded database server listening port, defaults to 9092 #sonar.embeddedDatabase.port=9092 #----- MySQL 5.6 or greater # Only InnoDB storage engine is supported (not myISAM). # Only the bundled driver is supported. It can not be changed. sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance #----- Oracle 11g/12c # - Only thin client is supported # - Only versions 11.2.x and 12.x of Oracle JDBC driver are supported # - The JDBC driver must be copied into the directory extensions/jdbc-driver/oracle/ # - If you need to set the schema, please refer to http://jira.sonarsource.com/browse/SONAR-5000 #sonar.jdbc.url=jdbc:oracle:thin:@localhost:1521/XE #----- PostgreSQL 8.x/9.x # If you don‘t use the schema named "public", please refer to http://jira.sonarsource.com/browse/SONAR-5000 #sonar.jdbc.url=jdbc:postgresql://localhost/sonar #----- Microsoft SQLServer 2012/2014 and SQL Azure # A database named sonar must exist and its collation must be case-sensitive (CS) and accent-sensitive (AS) # Use the following connection string if you want to use integrated security with Microsoft Sql Server # Do not set sonar.jdbc.username or sonar.jdbc.password property if you are using Integrated Security # For Integrated Security to work, you have to download the Microsoft SQL JDBC driver package from # http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11774 # and copy sqljdbc_auth.dll to your path. You have to copy the 32 bit or 64 bit version of the dll # depending upon the architecture of your server machine. # This version of SonarQube has been tested with Microsoft SQL JDBC version 4.1 #sonar.jdbc.url=jdbc:sqlserver://localhost;databaseName=sonar;integratedSecurity=true # Use the following connection string if you want to use SQL Auth while connecting to MS Sql Server. # Set the sonar.jdbc.username and sonar.jdbc.password appropriately. #sonar.jdbc.url=jdbc:sqlserver://localhost;databaseName=sonar #----- Connection pool settings # The maximum number of active connections that can be allocated # at the same time, or negative for no limit. # The recommended value is 1.2 * max sizes of HTTP pools. For example if HTTP ports are # enabled with default sizes (50, see property sonar.web.http.maxThreads) # then sonar.jdbc.maxActive should be 1.2 * (50) = 120. #sonar.jdbc.maxActive=60 # The maximum number of connections that can remain idle in the # pool, without extra ones being released, or negative for no limit. #sonar.jdbc.maxIdle=5 # The minimum number of connections that can remain idle in the pool, # without extra ones being created, or zero to create none. #sonar.jdbc.minIdle=2 # The maximum number of milliseconds that the pool will wait (when there # are no available connections) for a connection to be returned before # throwing an exception, or to wait indefinitely. #sonar.jdbc.maxWait=5000 #sonar.jdbc.minEvictableIdleTimeMillis=600000 #sonar.jdbc.timeBetweenEvictionRunsMillis=30000 #-------------------------------------------------------------------------------------------------- # WEB SERVER # Web server is executed in a dedicated Java process. By default heap size is 512Mb. # Use the following property to customize JVM options. # Recommendations: # # The HotSpot Server VM is recommended. The property -server should be added if server mode # is not enabled by default on your environment: # http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html # # Startup can be long if entropy source is short of entropy. Adding # -Djava.security.egd=file:/dev/./urandom is an option to resolve the problem. # See https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source # #sonar.web.javaOpts=-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError # Same as previous property, but allows to not repeat all other settings like -Xmx #sonar.web.javaAdditionalOpts= # Binding IP address. For servers with more than one IP address, this property specifies which # address will be used for listening on the specified ports. # By default, ports will be used on all IP addresses associated with the server. #sonar.web.host=0.0.0.0 # Web context. When set, it must start with forward slash (for example /sonarqube). # The default value is root context (empty value). #sonar.web.context= # TCP port for incoming HTTP connections. Default value is 9000. sonar.web.port=9000 # The maximum number of connections that the server will accept and process at any given time. # When this number has been reached, the server will not accept any more connections until # the number of connections falls below this value. The operating system may still accept connections # based on the sonar.web.connections.acceptCount property. The default value is 50. #sonar.web.http.maxThreads=50 # The minimum number of threads always kept running. The default value is 5. #sonar.web.http.minThreads=5 # The maximum queue length for incoming connection requests when all possible request processing # threads are in use. Any requests received when the queue is full will be refused. # The default value is 25. #sonar.web.http.acceptCount=25 # By default users are logged out and sessions closed when server is restarted. # If you prefer keeping user sessions open, a secret should be defined. Value is # HS256 key encoded with base64. It must be unique for each installation of SonarQube. # Example of command-line: # echo -n "type_what_you_want" | openssl dgst -sha256 -hmac "key" -binary | base64 #sonar.auth.jwtBase64Hs256Secret= #-------------------------------------------------------------------------------------------------- # COMPUTE ENGINE # The Compute Engine is responsible for processing background tasks. # Compute Engine is executed in a dedicated Java process. Default heap size is 512Mb. # Use the following property to customize JVM options. # Recommendations: # # The HotSpot Server VM is recommended. The property -server should be added if server mode # is not enabled by default on your environment: # http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html # #sonar.ce.javaOpts=-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError # Same as previous property, but allows to not repeat all other settings like -Xmx #sonar.ce.javaAdditionalOpts= # The number of workers in the Compute Engine. Value must be greater than zero. # By default the Compute Engine uses a single worker and therefore processes tasks one at a time. # Recommendations: # # Using N workers will require N times as much Heap memory (see property # sonar.ce.javaOpts to tune heap) and produce N times as much IOs on disk, database and # Elasticsearch. The number of workers must suit your environment. #sonar.ce.workerCount=1 #-------------------------------------------------------------------------------------------------- # ELASTICSEARCH # Elasticsearch is used to facilitate fast and accurate information retrieval. # It is executed in a dedicated Java process. Default heap size is 1Gb. # JVM options of Elasticsearch process # Recommendations: # # Use HotSpot Server VM. The property -server should be added if server mode # is not enabled by default on your environment: # http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html # #sonar.search.javaOpts=-Xmx1G -Xms256m -Xss256k -Djna.nosys=true # -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 # -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError # Same as previous property, but allows to not repeat all other settings like -Xmx #sonar.search.javaAdditionalOpts= # Elasticsearch port. Default is 9001. Use 0 to get a free port. # As a security precaution, should be blocked by a firewall and not exposed to the Internet. #sonar.search.port=9001 # Elasticsearch host. The search server will bind this address and the search client will connect to it. # Default is 127.0.0.1. # As a security precaution, should NOT be set to a publicly available address. #sonar.search.host=127.0.0.1 #-------------------------------------------------------------------------------------------------- # UPDATE CENTER # Update Center requires an internet connection to request https://update.sonarsource.org # It is enabled by default. sonar.updatecenter.activate=true # HTTP proxy (default none) #http.proxyHost= #http.proxyPort= # HTTPS proxy (defaults are values of http.proxyHost and http.proxyPort) #https.proxyHost= #https.proxyPort= # NT domain name if NTLM proxy is used #http.auth.ntlm.domain= # SOCKS proxy (default none) #socksProxyHost= #socksProxyPort= # Proxy authentication (used for HTTP, HTTPS and SOCKS proxies) #http.proxyUser= #http.proxyPassword= #-------------------------------------------------------------------------------------------------- # LOGGING # Level of logs. Supported values are INFO(default), DEBUG and TRACE (DEBUG + SQL + ES requests) #sonar.log.level=INFO # Path to log files. Can be absolute or relative to installation directory. # Default is/logs #sonar.path.logs=logs # Rolling policy of log files # - based on time if value starts with "time:", for example by day ("time:yyyy-MM-dd") # or by month ("time:yyyy-MM") # - based on size if value starts with "size:", for example "size:10MB" # - disabled if value is "none". That needs logs to be managed by an external system like logrotate. sonar.log.rollingPolicy=time:yyyy-MM-dd # Maximum number of files to keep if a rolling policy is enabled. # - maximum value is 20 on size rolling policy # - unlimited on time rolling policy. Set to zero to disable old file purging. #sonar.log.maxFiles=7 # Access log is the list of all the HTTP requests received by server. If enabled, it is stored # in the file {sonar.path.logs}/access.log. This file follows the same rolling policy as for # sonar.log (see sonar.log.rollingPolicy and sonar.log.maxFiles). #sonar.web.accessLogs.enable=true # Format of access log. It is ignored if sonar.web.accessLogs.enable=false. Possible values are: # - "common" is the Common Log Format, shortcut to: %h %l %u %user %date "%r" %s %b # - "combined" is another format widely recognized, shortcut to: %h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" # - else a custom pattern. See http://logback.qos.ch/manual/layouts.html#AccessPatternLayout. # The login of authenticated user is not implemented with "%u" but with "%reqAttribute{LOGIN}" (since version 6.1). # The value displayed for anonymous users is "-". # If SonarQube is behind a reverse proxy, then the following value allows to display the correct remote IP address: #sonar.web.accessLogs.pattern=%i{X-Forwarded-For} %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}" # Default value is: #sonar.web.accessLogs.pattern=combined #-------------------------------------------------------------------------------------------------- # OTHERS # Delay in seconds between processing of notification queue. Default is 60 seconds. #sonar.notifications.delay=60 # Paths to persistent data files (embedded database and search index) and temporary files. # Can be absolute or relative to installation directory. # Defaults are respectively /data and /temp #sonar.path.data=data #sonar.path.temp=temp #-------------------------------------------------------------------------------------------------- # DEVELOPMENT - only for developers # The following properties MUST NOT be used in production environments. # Dev mode allows to reload web sources on changes and to restart server when new versions # of plugins are deployed. #sonar.web.dev=false # Path to webapp sources for hot-reloading of Ruby on Rails, JS and CSS (only core, # plugins not supported). #sonar.web.dev.sources=/path/to/server/sonar-web/src/main/webapp # Elasticsearch HTTP connector, for example for KOPF: # http://lmenezes.com/elasticsearch-kopf/?location=http://localhost:9010 #sonar.search.httpPort=-1
- 配置sonarQube Scanner
配置sonarQube Scanner也只需要将其中配置好的节点取消注释就可起效,与sonarQube的配置非常类似,sonarQube Scanner的文件夹更加简单
- bin:sonarQube Scanner运行命令文件夹
- conf:sonarQube Scanner配置文件夹
- lib:sonarQube Scanner存放的运行库文件(jar)
节点:
sonar.host.url:sonarQube URL地址(一般地,sonarQube与sonarScann应该默认都在同一台机器,如果是不在同一台机器,则需要替换成不同的IP,端口默认是9000)
sonar.sourceEncoding:sonarQube的默认源码编码方式
sonar.jdbc.username:sonarQube数据库用户名(上一节DB新增并授权用户名sonar)
sonar.jdbc.password:sonarQube数据库口令(上一节DB新增并授权用户密码sonar)
sonar.jdbc.url:sonarQube DB连接方式(一般来说,mysql与sonarQube都是安装在同一台机器,所以这里一般都是使用localhost,默认使用的是3306端口,如不在同一台机器,应该使用对应的IP地址,当然,上一节新增的用户也需要对相应的访问地址进行授权)
#Configure here general information about the environment, such as SonarQube DB details for example #No information about specific project should appear here #----- Default SonarQube server sonar.host.url=http://localhost:9000 #----- Default source code encoding sonar.sourceEncoding=UTF-8 #----- Global database settings (not used for SonarQube 5.2+) sonar.jdbc.username=sonar sonar.jdbc.password=sonar #----- PostgreSQL #sonar.jdbc.url=jdbc:postgresql://localhost/sonar #----- MySQL sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8 #----- Oracle #sonar.jdbc.url=jdbc:oracle:thin:@localhost/XE #----- Microsoft SQLServer #sonar.jdbc.url=jdbc:jtds:sqlserver://localhost/sonar;SelectMethod=Cursor
- 系统配置
这一步的主要目的就是,能够使用命令行工具直接调用到sonarQube和sonarQube Scanner,我们可以将它们的目录加入至系统的环境变量中
加入环境变量SONAR_RUNNER_HOME,配置的值是sonarQube Scanner的目录,例如我本机的是C:\sonar-scanner\sonar-scanner-2.8\
在环境变量path的末尾加入sonarQube的bin位置,另外,在bin中,系统将支持windows系统和linux等系统,所以bin会有下级子文件夹,我本机的是64位系统,所以在末尾加入;C:\sonarqube\sonarqube-6.1\bin\windows-x86-64(记得前面加入分号)
再在环境变量path的末尾加入sonarQube Scanner的bin位置,这里我们已经将它的上级目录加入了一个系统变量中,只需要加上;%SONAR_RUNNER_HOME%/bin(记得前面加入分号)
- 运行系统
到此,我们打开sonarQube文件夹中bin命令运行系统(应该打开一个命令行工具就可以运行命令,但我个人习惯在文件夹中打开)
每次手动打开肯定是比较麻烦的,那就需要将sonarQube作为一个服务一直运行,即使重启电脑也可以正常访问,首先打开InstallNTService.bat,再运行StartNTService.bat
当提示中出现了红框标示的语句,说明系统就已经启动了
打开浏览器,输入http://localhost:9000/应该就可以打开系统了,第一次打开时,肯定是没有Project中的数据的,我这里已经运行成功了,所以才有数据。关于系统的一些管理功能,需要进一步的研究
- 查看sonar-scanner(扫描器)
当安装完成了sonarQube服务器,还需要查看sonar-scanner是否能够正确运行了,因为接下来需要使用sonar-scanner去静态扫描代码
使用命令查看,如果能够正常显示出sonar-scanner的信息则是正常的,否则请查看是否已经在环境变量中正确配置sonar-scanner
sonar-scanner -V
- 源码配置
至此,我们已经能够正常的访问到系统了,但这仅仅是基础,源码扫描最重要的就是要将源码提供给sonarQube Scanner扫描,并在sonarQube系统中显示结果。
还需要完成最重要的一步,配置源码扫描,我这里以实际的项目为例,在解决方案文件的同级目录加入一个配置文件sonar-project.properties
节点:
sonar.projectKey:运行项目的唯一关键字,其中允许"-"、"_"、"."、":"字符
sonar.projectName:项目名称,在系统中显示的项目名称
sonar.projectVersion:项目版本号
sonar.sources:源代码的路径,如有多个路径,可以使用分号进行分隔,如果该参数没有设置,则从当前目录进行扫描
sonar.language:语言的类型,因为我这里是C#,对应的就是cs了
以上是强制参数,是必须设置的,以下是可选参数-----------------------------------------------------------
sonar.projectDescription:定义项目的描述
sonar.sourceEncoding:编码方式,不知道有什么实际的用处
sonar.binaries:指定编译后代码的路径,如类或二进制,逗号隔开,不兼容Maven,使用Maven时会在Manven默认项目路径下找编译后的代码
sonar.tests:指定单元测试代码的路径,使用逗号隔开
sonar.libraries:指定第三方包的路径,如java的jar包
sonar.importSources:有时,出于安全或其他原因,项目源代码不允许存储和查看。默认为true(我并未处理该节点,扫描完成后一样可以查看源代码,不知道什么原因)
sonar.projectDate:记录历史数据或某些事件时,极有必要自定义此参数。在版本控制中也会使用此参数,格式如:yyyy-MM-dd,默认是当前时间
sonar.exclusions:指定不纳入分析的文件,使用逗号分开
sonar.skippedModules:部分项目模块可能不需要纳入分析,以防影响整个项目的分析指标,例如集成测试或自动生成的代码(ESB生成的接口文件等)
sonar.includeModules:需要分析的模块,其他模块会被忽略,注意:根路径必须加入
sonar.branch:管理项目分析,同一个工程的两个项目分析在sonar中任务是两个不同的项目
sonar.profile:通过sonar的Web接口, 可以定义很多质量规则,也可以方便的和已有的规则进行关联
sonar.skipDesing:禁用Java字节码分析,从sonar 2.0,支持Java自己的字节码分析,默认为false
sonar.phase:分析前执行Maven指令
sonar.java.source:Java源代码的版本,sonar不使用该属性,插件可能会用到,如PMD
sonar.java.target:Java源代码的版本,sonar不使用该属性,插件可能会用到,如Clover
sonar.findbugs.excludesFilters:支持使用Findbugs的忽略过滤器
# Required metadata sonar.projectKey=Workbench sonar.projectName=Esquel.WebWorkbench sonar.projectVersion=1.2.1 # Comma-separated paths to directories with sources (required) sonar.sources=. #sonar.binaries=bin\classes # Language sonar.language=cs # Encoding of the source files sonar.sourceEncoding=UTF-8
- 运行命令
在源码的文件夹按住shift键,鼠标右键,在此处打开命令窗口,打开了命令窗口后,直接输入sonar-runner.bat(如果该命令找不到,则需要查看一下,是不是已经将目录加入至环境变量中)
另外还发现另一种命令执行的方式,即使用命令并传入必须的参数,这样,就可以不用在待扫描的项目文件路径中加入sonar-project.properties配置文件,比较简单,但比较容易出错,使用命令时需要先确定好参数再运行。
sonar-scanner -Dsonar.projectKey="newproject" -Dsonar.projectName="newprojectname" -Dsonar.projectVersion="1.6" -Dsonar.sources="." -Dsonar.language="cs"
然后回车,现在,sonarQube Scanner开始扫描C#代码了,并等待完成,我在本机的处理速度还是相当快的
其中扫描代码时,也可以在命令后面加入参数
-h :帮助
-X :产生Debug输出
-i :产生交互
扫描完成后,会自动停止,但命令窗口不会关闭
- 查看
再次进入http://localhost:9000/即可进入系统,并查看到扫描的结果