/
How to work with SonarQube in the local environment

How to work with SonarQube in the local environment

Introduction

SonarQube is a platform that analyses code and detects errors such as vulnerabilities, poorly structured code fragments, and lack of test coverage, providing recommendations for their correction.

This document shows how to install and run an Eclipse plug-in to work with it.

Installing the SonarQube plug-in for Eclipse

To work with SonarQube it is convenient to install a plug-in in Eclipse. This plug-in allows you to see what problems the code presents in the eyes of SonarQube, offering the possibility of solving them both a posteriori and at the same time as they occur.

The plug-in to be installed, previously known as ‘SonarLint’, is ‘SonarQube for IDE’, specifically version 11.5.1.

https://www.sonarsource.com/es/products/sonarlint/

To install it, from Eclipse, go to the top menu option of Help -> Eclipse Marketplace...

image-20250507-095423.png

In the text box of the ‘Search’ tab, enter the name of the plug-in (‘SonarQube for IDE’), install it and restart the IDE.

image-20250507-095516.png

If for some reason (sometimes, it happens) the Eclipse Marketplace doesn't load properly, you can download the plug-in from the menu option Help -> Install New Software...

Add the URL of https://eclipse-uc.sonarlint.org, select ‘SonarQube for IDE’, install it and restart the IDE.

Linking the plug-in to the SonarQube server

In order for the installed plug-in to know which rules to follow, it needs to be connected to a SonarQube server.

To do so, go to the top menu option Window -> Show View -> Other..., click on the ‘SonarQube’ folder and select the ‘SonarQube Bindings’ view.

image-20250507-095714.png

In the tab that will appear, right click on the mouse and click on ‘New connection...’. Then select the option ‘SonarQube server’ and click ‘Next >’.

A text box will then appear, indicating the URL where the Sonar server is installed. In the case of Onesait Platform, this server is: https://sonarqube.onesaitplatform.com/.

image-20250507-095849.png

After clicking ‘Next >’, a token will be requested. This token serves as an identifier so that the SonarQube server knows that access from Eclipse is authorised.

You can then create a new token (‘Generate token’) or you can use an existing one.

After choosing one or the other option, click on the ‘Finish’ button. After doing so, the connection should appear in the view.

Associating the project modules to the SonarQube connection

To associate the project modules to the newly created SonarQube connection, right-click on the connection and select ‘Bind Projects...’. Click on the ‘Add...’ button and add the project modules.

image-20250507-095946.png

Once this is done, you should see the SonarQube issues in the code. If not, just restart Eclipse.

Viewing SonarQube issues in the code

SonarQube issues are highlighted in the code as a blue underline:

image-20250507-100026.png

To obtain a list of all the issues in the file that is open, access the tab with the ‘SonarQube On-The-Fly’ view: Window -> Show View -> Other... -> SonarQube -> SonarQube On-The-Fly.

image-20250507-100043.png

Disable automatic execution of the SonarQube plug-in

To avoid the delay in the IDE caused by the SonarQube plug-in, you can disable it temporarily or permanently.

To do this, right-click on the current project and select ‘Properties -> SonarQube -> disable 'Run SonarQube automatically'.’

If you later want to run the SonarQube analysis, right-click on the current project and select ‘SonarQube -> Analyze.’

Disable checking of a SonarQube rule in the code

If you want a specific SonarQube rule to not apply to a particular line of code, add // NOSONAR at the end of the line, ideally accompanied by a justification, e.g., // NOSONAR: It's not a @RestController.

Solve server certificate issues in SonarQube

A certificate error may occur when the SonarQube plugin attempts to access the server.

image-20250530-100853.png

When this happens, it is necessary to import the SonarQube server certificates into the JVM keystore of Eclipse.

To do this, the first step is to download the two required server certificates.

This can be done by navigating to the SonarQube server page (https://sonarqube.onesaitplatform.com/), clicking on the address bar's padlock, and going to ‘Connection is secure -> Certificate is valid -> Details.

Next, proceed to export the two necessary certificates. For each one, select the certificate and click the ‘Export…’ button, choosing the format ‘Base-64 encoded ASCII, single certificate (*.pem, *.crt)’ and giving the file a name with a ‘.crt’ extension.

image-20250530-102351.png

Once we have the two certificate files, we need to locate the Eclipse JVM. We can check this by looking at the value under ‘Help -> About Eclipse -> Installation Details -> Configuration -> java.home.

The next step is to open the command prompt and navigate to that path. Then, access the subdirectory ‘jre\lib\security.

The final path will be something like: S:\tools\eclipse\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_17.0.5.v20221102-0933\jre\lib\security.

After this, copy the two certificate files to this location and import them one by one into the keystore using the following command:

keytool -importcert -trustcacerts -alias sonar -file <certificate_name_n.crt> -keystore cacerts -storepass changeit

Finally, restart Eclipse and, if necessary, disassociate and reassociate the projects with the SonarQube server.

Obtain a report with the project's issues

The Community version of SonarQube does not allow you to obtain a report of the existing issues in a project. They can be seen, but the orthopaedic fluidity of its interface makes it difficult to inspect them.

image-20250507-100110.png

It is possible, however, to obtain a list by making calls to the SonarQube API by executing a ".bat" file from the command prompt:

@echo off SET "SONAR_TOKEN=<token>" SET "SEVERITIES=BLOCKER,CRITICAL,MAJOR,MINOR,INFO" SET "TYPES=BUG,VULNERABILITY,CODE_SMELL" SET "STATUSES=OPEN,CONFIRMED,REOPENED" FOR /F "delims=" %%T IN ('curl --ssl-no-revoke -u %SONAR_TOKEN%: "https://sonarqube.onesaitplatform.com/api/issues/search?projectKeys=onesait-platform&componentKeys=onesait-platform&severities=%SEVERITIES%&types=%TYPES%&statuses=%STATUSES%&ps=1" ^| jq -r .total') DO SET "TOTAL=%%T" IF NOT DEFINED TOTAL ( echo Error: Failed to set TOTAL. Check network, API, or jq installation. exit /b 1 ) SET /A PAGES=(%TOTAL% + 499) / 500 IF %PAGES% LEQ 0 SET PAGES=1 echo Total issues: %TOTAL% echo Number of pages: %PAGES% echo "key","rule","message","severity","type","component","line" > issues.csv FOR /L %%p IN (1,1,%PAGES%) DO ( echo Querying page %%p... curl --ssl-no-revoke -u %SONAR_TOKEN%: "https://sonarqube.onesaitplatform.com/api/issues/search?projectKeys=onesait-platform&componentKeys=onesait-platform&severities=%SEVERITIES%&types=%TYPES%&statuses=%STATUSES%&ps=500&p=%%p" | jq -r ".issues[] | [.key, .rule, .message, .severity, .type, .component, (.line // \"\")] | @csv" >> issues.csv || ( echo Error on page %%p exit /b 1 ) ) echo Completed. Check issues.csv

Where ‘jq’ is a command line tool for processing and manipulating JSON that can be downloaded from the official website:

https://stedolan.github.io/jq/download/

And where the parameters are indicated:

  • severities=BLOCKER,CRITICAL,MAJOR: filters issues by selecting only those with BLOCKER, CRITICAL, and MAJOR severity.

  • types=BUG,VULNERABILITY: filters BUG and VULNERABILTY type issues.

  • statuses=OPEN,CONFIRMED,REOPENED: filters issues with the statuses OPEN, CONFIRMED, and REOPENED.

  • ps=500: defines the size of the page (the maximum number of results per page is 500).

  • p=%%p: specifies page of the results.

After executing the commands, you get a series of “.csv” files that can be imported into Excel.

image-20250507-100239.png