Delivering Clean Code with SonarLint and SonarQube

clean code Mar 20, 2023

Clean code is the result of writing code that is easy to read, modify, and maintain. It's like writing a story that is easy to follow, with clear and concise language and a well-structured content. When the code is clean, it is easier for other developers to work with, and it reduces the likelihood of errors and bugs in the code. Clean code is essential for successful software development, as it makes the development process more efficient and effective.

As software developers, one of our primary goals is to deliver high-quality, maintainable code. Writing clean code is essential for creating software that is easy to understand, extend, and maintain over time. In this blog post, we will explore some of the best practices for delivering clean code, as well as two powerful tools for managing code quality: SonarLint and SonarQube.

Why is clean code important?

Clean code is essential for several reasons. First, it makes the code easier to read and understand, which helps other developers who work on the project. Clean code is also easier to modify and extend, which can save time and reduce the risk of introducing bugs. Finally, clean code can help identify and prevent security vulnerabilities, which can protect the application and its users.

Tips for writing clean code

Before we discuss how SonarLint and SonarQube can help deliver clean code, let's review some tips for writing clean code:

1. Use meaningful AND consistent names: Use descriptive and meaningful names for variables, functions, classes, and other code entities. Avoid single-letter or cryptic names, and use names that convey the purpose or functionality of the entity. It is recommended to adhere to consistent naming standards as per your organisation's Coding practices guidelines.

2. Keep it simple: Write code that is easy to read and understand. Avoid unnecessary complexity, and use the simplest possible solution that meets the requirements. Adopt industry standard principles such as KISS (Keep-It-Simple-Stupid) to drive simplicity within your code.

3. Remove dead code: Remove any unused or dead code from the project. Dead code not only clutters the codebase but can also lead to confusion and bugs.

4. Refactor regularly: Refactor code regularly to keep it clean and maintainable. Refactoring involves restructuring the code without changing its functionality to improve its readability, maintainability, and extensibility.

5. Avoid nested conditionals and loops: Avoid deeply nested conditionals and loops. Instead, use early returns, guard clauses, and functional programming techniques to simplify the code.

6. Write self-documenting code: Write code that is self-explanatory and easy to understand without the need for additional comments. Use descriptive names, simple, and clear syntax, and follow coding standards and best practices.

7. Keep code DRY: Don't Repeat Yourself (DRY) is a principle that suggests avoiding repetition in code. Look for opportunities to reuse code by extracting common functionality into functions, classes, or libraries.

Delivering clean code with SonarLint and SonarQube

Image source: docs.sonarqube.org

SonarLint and SonarQube are two powerful tools that can help you deliver clean code by catching potential bugs, vulnerabilities, and other issues before they make it into production.

SonarLint is a code analysis plugin that integrates with popular integrated development environments (IDEs) like Visual Studio, Eclipse, and IntelliJ. It provides real-time feedback on code quality as you write your code, highlighting potential issues such as unused variables and unhandled exceptions. By catching these issues early, SonarLint allows you to make corrections while you're still writing your code, saving time and effort down the road.

SonarQube is a more comprehensive tool that provides even more powerful code analysis capabilities. It not only analyzes code quality, but also provides detailed reports on security vulnerabilities, code coverage, and other metrics. It can be used to track code quality over time, identify areas for improvement, and enforce coding standards and best practices. With SonarQube, you can get a clear understanding of your codebase and make informed decisions about how to improve it.

Together, SonarLint and SonarQube can help you deliver clean code in several ways:

1. Real-time feedback: With SonarLint, you get immediate feedback on your code quality as you write your code, so you can catch issues early and make corrections before they become more difficult to fix.

2. Code analysis: SonarLint and SonarQube provide powerful code analysis capabilities, allowing you to catch potential bugs, vulnerabilities, and other issues before they make it into production.

3. Coding standards enforcement: SonarQube can be configured to enforce coding standards and best practices, ensuring that your code follows established conventions and is easy to maintain and extend.

4. Metrics tracking: SonarQube provides detailed reports on code quality, security vulnerabilities, code coverage, and other metrics, allowing you to track your progress over time and identify areas for improvement.

5. Integration with development tools: Both SonarLint and SonarQube integrate with popular development tools like Visual Studio, Eclipse, and IntelliJ, making it easy to incorporate code analysis into your development workflow.

Steps to install SonarLint in IntelliJ

1. Open IntelliJ and go to the Settings button.

2. In the Settings/Preferences dialog, go to the Plugins section.

3. Click on the Marketplace tab.

4. Search for “sonarlint” in the search bar.

5. Click the Install button next to the SonarLint plugin.

6. After the installation is complete, click the “Restart IDE” button to restart IntelliJ.

7. Once IntelliJ has restarted, you should see a SonarLint tool window at the bottom of the IDE.

Congratulations, you have successfully installed SonarLint in IntelliJ.

If we decide to ignore some rules in SonarLint we can use these steps:

1. Open IntelliJ and go to Settings.

2. In the Settings window, navigate to Tools > SonarLint.

3. Click on the Rules button.

4. To ignore a rule, select it from the list and uncheck the checkbox.

5. Click Apply/OK to confirm the changes.

Here are some examples of rules from SonarLint in Java:

1. Unused code: SonarLint may flag code that is never used, such as an unused method or variable. This rule can help identify dead code and reduce code bloat.

2. Unused imports: Similar to unused code, SonarLint can flag imports that are never used in the code. Removing unused imports can make the code easier to read and maintain.

3. Null pointer dereference: This rule flags instances where a null value is used without checking for null first. This can lead to NullPointerException at runtime, so it is important to ensure that null values are properly handled.

4. Duplicated code: SonarLint can flag blocks of code that are duplicated within the codebase. Duplicated code can lead to maintenance issues and make it harder to understand the codebase.

5. Code smell: SonarLint also includes rules that flag code smells, which are code constructs that may not necessarily be bugs but may lead to issues down the road. Examples of code smell include long methods, long parameter lists, and excessive nesting.

6. SQL injection: SonarLint provides a rule that checks for SQL injection vulnerabilities by identifying dynamically constructed SQL queries that include user input. It recommends using prepared statements instead to ensure that user input is treated as a parameter and not as part of the query, protecting the application against potential attacks.

These are just a few examples of many rules that SonarLint can enforce in Java code. By following these rules and best practices, you can improve the quality and maintainability of your code.

Some important features of SonarQube

1. Summary of Code Analysis (Overview tab): This tab provides a summary of the code analysis results for a particular project. It displays a high-level overview of the project, including metrics such as the number of lines of code, the number of issues, the code coverage, and the technical debt.

2. Issues Tab: This tab lists all of the issues that were detected during the code analysis. Each issue represents a problem with the code, such as a bug, a code smell, or a security vulnerability. The Issues tab allows you to view and filter the issues based on various criteria, such as the severity of the issue or the type of issue.

3. Measures Tab: This tab provides a more detailed view of the code analysis results. It displays metrics for various aspects of the code, such as code complexity, code duplication, and code coverage. The Measures tab allows you to view the trends in these metrics over time and to compare the metrics across different branches or versions of the code.

In Halodoc, we use both SonarLint and SonarQube to systematically address code issues and vulnerabilities by implementing these strategies:

1. Integrating SonarLint into the IDEs used by developers to provide real-time feedback on code quality as they write their code.

2. Running scans on the codebase using SonarQube to identify and prioritize issues based on severity and forcing developers to maximize the code coverage testing by enabling Quality Gates.

3. Using SonarQube "Issues" tab to view a detailed list of issues, including their impact and suggested resolution.

4. Using SonarQube "Measures" tab to track overall code quality trends over time, identifying areas that require improvement.

By following this approach, Halodoc can address code quality and security issues throughout the software development lifecycle, ensuring that our applications are secure and maintainable in the future.

Reference : https://docs.sonarqube.org/9.9/

Conclusion

Delivering clean code is essential for creating software that is maintainable, extendable, and secure. By using SonarLint and SonarQube to deliver clean code, you can improve the quality and maintainability of your software, reduce the risk of security vulnerabilities and bugs, and save time and effort in the long run.


Join us

Scalability, reliability and maintainability are the three pillars that govern what we build at Halodoc Tech. We are actively looking for engineers at all levels and if solving hard problems with challenging requirements is your forte, please reach out to us with your resumé at careers.india@halodoc.com.


About Halodoc

Halodoc is the number 1 all around Healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke. We connect 20,000+ doctors with patients in need through our Tele-consultation service. We partner with 3500+ pharmacies in 100+ cities to bring medicine to your doorstep. We've also partnered with Indonesia's largest lab provider to provide lab home services, and to top it off we have recently launched a premium appointment service that partners with 500+ hospitals that allow patients to book a doctor appointment inside our application. We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, GoJek, Astra, Temasek and many more. We recently closed our Series C round and In total have raised around USD$180 million for our mission. Our team works tirelessly to make sure that we create the best healthcare solution personalized for all of our patient's needs, and are continuously on a path to simplify healthcare for Indonesia.

Varian Vianandha

Software Development Engineer, Back End | Building Halodoc