sonarQube安装及本机扫描C#项目

因项目需要，需要使用sonarQube对代码进行扫描并查看，因对sonarQube不熟悉，所以先在本机搭建测试环境。

参考了张老师的博客：http://www.cnblogs.com/danzhang/p/5205610.html

参考百度文库文章：http://wenku.baidu.com/view/088e5b1b6edb6f1aff001fc0.html?from=search

运行sonarQube之前，需要本机已经安装JDK及mysql

JDK:因为sonarQube是使用Java开发的，那么相应的肯定需要有JDK运行环境。安装步骤请参考《JDK Windows安装》

mysql:作为一个可运行的系统，需要将数据保存在数据库，以便下次查看。系统不只支持mysql，还支持SQL Server/Oracle等

关于JDK和mysql的安装，可以参考其中的文章。

首先在mysql中执行一段脚本，这段脚本的意思是

1.创建sonar命名的DB，并指定密码同为sonar

2.创建soanr用户

3/4将sonar这个DB的所有对象授权给sonar这个用户，且都指定口令为sonar，并同时指定只能从localhost和%登陆

CREATE DATABASE sonar CHARACTER SET utf8 COLLATE utf8_general_ci;

CREATE USER 'sonar' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'@'%' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'@'localhost' IDENTIFIED BY 'sonar';
FLUSH PRIVILEGES;

• 下载sonarQube和sonarQube Scanner

参考地址：http://docs.sonarqube.org/display/SONAR/Get+Started+in+Two+Minutes

我现在能够下载的sonarQube最新版本是6.1，sonarQube Scanner最新版本是2.8

下载至本地后就只是两个压缩包

　　　　

• 解压sonarQube和sonarQube Scanner文件

将下载的zip文件解压至本地，这里我解压至C盘，

C:sonarqube （解压的是sonarQube）

C:sonar-scanner （解压的是sonarQube Scanner）

• 配置sonarQube

首先配置sonarQube，解压好的sonarQube目录有几个文件夹：

• bin:sonarQube运行命令文件夹
• conf:sonarQube配置文件夹
• data:（暂时不清楚功能）
• extensions:sonarQube的插件等存放文件夹
• lib:sonarQube存放的运行库文件（jar）
• logs:sonarQube日志文件夹
• temp:sonarQube临时文件夹
• web:sonarQube系统UI界面文件夹

首先进入至conf文件夹，原本在里面就存一个配置文件sonar.properties，但其中的节点都是使用#注释的，我们只需要将节点前面的#删除，该节点即可起效

节点

sonar.jdbc.usename:连接至mysql的用户名（上一节DB新增并授权用户名sonar）

sonar.jdbc.password:连接至mysql的口令（上一节DB新增并授权用户密码sonar）

sonar.jdbc.url:连接至mysql的地址（一般来说，mysql与sonarQube都是安装在同一台机器，所以这里一般都是使用localhost，默认使用的是3306端口，如不在同一台机器，应该使用对应的IP地址，当然，上一节新增的用户也需要对相应的访问地址进行授权）

节点

sonar.web.port:系统运行的端口，现在是安装在本机，当系统配置完成后，将使用http://localhost:9000/进入系统

节点

sonar.updatecenter.activate:sonarQube原本就运行了很多的插件，有的插件会有更新，系统允许我们将插件进行更新（在系统中下载，并未真正更新原有的插件），

如将此节点打开，下次启动是，系统会自动更新为最新的插件（系统允许自动重新启动，但未试到,现在在系统中更新插件后可以重新启动）

节点

sonar.log.roolingpolicy:关于sonarQube的日志关于日期的格式

 

# Property values can:
# - reference an environment variable, for example sonar.jdbc.url= ${env:SONAR_JDBC_URL}
# - be encrypted. See http://redirect.sonarsource.com/doc/settings-encryption.html

#--------------------------------------------------------------------------------------------------
# DATABASE
#
# IMPORTANT: the embedded H2 database is used by default. It is recommended for tests but not for
# production use. Supported databases are MySQL, Oracle, PostgreSQL and Microsoft SQLServer.

# User credentials.
# Permissions to create tables, indices and triggers must be granted to JDBC user.
# The schema must be created first.
sonar.jdbc.username=sonar
sonar.jdbc.password=sonar

#----- Embedded Database (default)
# H2 embedded database server listening port, defaults to 9092
#sonar.embeddedDatabase.port=9092
#----- MySQL 5.6 or greater
# Only InnoDB storage engine is supported (not myISAM).
# Only the bundled driver is supported. It can not be changed.
sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance


#----- Oracle 11g/12c
# - Only thin client is supported
# - Only versions 11.2.x and 12.x of Oracle JDBC driver are supported
# - The JDBC driver must be copied into the directory extensions/jdbc-driver/oracle/
# - If you need to set the schema, please refer to http://jira.sonarsource.com/browse/SONAR-5000
#sonar.jdbc.url=jdbc:oracle:thin:@localhost:1521/XE


#----- PostgreSQL 8.x/9.x
# If you don't use the schema named "public", please refer to http://jira.sonarsource.com/browse/SONAR-5000
#sonar.jdbc.url=jdbc:postgresql://localhost/sonar


#----- Microsoft SQLServer 2012/2014 and SQL Azure
# A database named sonar must exist and its collation must be case-sensitive (CS) and accent-sensitive (AS)
# Use the following connection string if you want to use integrated security with Microsoft Sql Server
# Do not set sonar.jdbc.username or sonar.jdbc.password property if you are using Integrated Security
# For Integrated Security to work, you have to download the Microsoft SQL JDBC driver package from
# http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11774
# and copy sqljdbc_auth.dll to your path. You have to copy the 32 bit or 64 bit version of the dll
# depending upon the architecture of your server machine.
# This version of SonarQube has been tested with Microsoft SQL JDBC version 4.1
#sonar.jdbc.url=jdbc:sqlserver://localhost;databaseName=sonar;integratedSecurity=true

# Use the following connection string if you want to use SQL Auth while connecting to MS Sql Server.
# Set the sonar.jdbc.username and sonar.jdbc.password appropriately.
#sonar.jdbc.url=jdbc:sqlserver://localhost;databaseName=sonar


#----- Connection pool settings
# The maximum number of active connections that can be allocated
# at the same time, or negative for no limit.
# The recommended value is 1.2 * max sizes of HTTP pools. For example if HTTP ports are
# enabled with default sizes (50, see property sonar.web.http.maxThreads)
# then sonar.jdbc.maxActive should be 1.2 * (50) = 120.
#sonar.jdbc.maxActive=60

# The maximum number of connections that can remain idle in the
# pool, without extra ones being released, or negative for no limit.
#sonar.jdbc.maxIdle=5

# The minimum number of connections that can remain idle in the pool,
# without extra ones being created, or zero to create none.
#sonar.jdbc.minIdle=2

# The maximum number of milliseconds that the pool will wait (when there
# are no available connections) for a connection to be returned before
# throwing an exception, or <= 0 to wait indefinitely.
#sonar.jdbc.maxWait=5000

#sonar.jdbc.minEvictableIdleTimeMillis=600000
#sonar.jdbc.timeBetweenEvictionRunsMillis=30000



#--------------------------------------------------------------------------------------------------
# WEB SERVER
# Web server is executed in a dedicated Java process. By default heap size is 512Mb.
# Use the following property to customize JVM options.
#    Recommendations:
#
#    The HotSpot Server VM is recommended. The property -server should be added if server mode
#    is not enabled by default on your environment:
#    http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html
#
#    Startup can be long if entropy source is short of entropy. Adding
#    -Djava.security.egd=file:/dev/./urandom is an option to resolve the problem.
#    See https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source
#
#sonar.web.javaOpts=-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError

# Same as previous property, but allows to not repeat all other settings like -Xmx
#sonar.web.javaAdditionalOpts=

# Binding IP address. For servers with more than one IP address, this property specifies which
# address will be used for listening on the specified ports.
# By default, ports will be used on all IP addresses associated with the server.
#sonar.web.host=0.0.0.0

# Web context. When set, it must start with forward slash (for example /sonarqube).
# The default value is root context (empty value).
#sonar.web.context=
# TCP port for incoming HTTP connections. Default value is 9000.
sonar.web.port=9000


# The maximum number of connections that the server will accept and process at any given time.
# When this number has been reached, the server will not accept any more connections until
# the number of connections falls below this value. The operating system may still accept connections
# based on the sonar.web.connections.acceptCount property. The default value is 50.
#sonar.web.http.maxThreads=50

# The minimum number of threads always kept running. The default value is 5.
#sonar.web.http.minThreads=5

# The maximum queue length for incoming connection requests when all possible request processing
# threads are in use. Any requests received when the queue is full will be refused.
# The default value is 25.
#sonar.web.http.acceptCount=25

# By default users are logged out and sessions closed when server is restarted.
# If you prefer keeping user sessions open, a secret should be defined. Value is
# HS256 key encoded with base64. It must be unique for each installation of SonarQube.
# Example of command-line:
# echo -n "type_what_you_want" | openssl dgst -sha256 -hmac "key" -binary | base64
#sonar.auth.jwtBase64Hs256Secret=

#--------------------------------------------------------------------------------------------------
# COMPUTE ENGINE
# The Compute Engine is responsible for processing background tasks.
# Compute Engine is executed in a dedicated Java process. Default heap size is 512Mb.
# Use the following property to customize JVM options.
#    Recommendations:
#
#    The HotSpot Server VM is recommended. The property -server should be added if server mode
#    is not enabled by default on your environment:
#    http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html
#
#sonar.ce.javaOpts=-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError

# Same as previous property, but allows to not repeat all other settings like -Xmx
#sonar.ce.javaAdditionalOpts=
# The number of workers in the Compute Engine. Value must be greater than zero.
# By default the Compute Engine uses a single worker and therefore processes tasks one at a time.
#    Recommendations:
#
#    Using N workers will require N times as much Heap memory (see property
#    sonar.ce.javaOpts to tune heap) and produce N times as much IOs on disk, database and
#    Elasticsearch. The number of workers must suit your environment.
#sonar.ce.workerCount=1


#--------------------------------------------------------------------------------------------------
# ELASTICSEARCH
# Elasticsearch is used to facilitate fast and accurate information retrieval.
# It is executed in a dedicated Java process. Default heap size is 1Gb.

# JVM options of Elasticsearch process
#    Recommendations:
#
#    Use HotSpot Server VM. The property -server should be added if server mode
#    is not enabled by default on your environment:
#    http://docs.oracle.com/javase/8/docs/technotes/guides/vm/server-class.html
#
#sonar.search.javaOpts=-Xmx1G -Xms256m -Xss256k -Djna.nosys=true 
#  -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 
#  -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError

# Same as previous property, but allows to not repeat all other settings like -Xmx
#sonar.search.javaAdditionalOpts=

# Elasticsearch port. Default is 9001. Use 0 to get a free port.
# As a security precaution, should be blocked by a firewall and not exposed to the Internet.
#sonar.search.port=9001

# Elasticsearch host. The search server will bind this address and the search client will connect to it.
# Default is 127.0.0.1.
# As a security precaution, should NOT be set to a publicly available address.
#sonar.search.host=127.0.0.1


#--------------------------------------------------------------------------------------------------
# UPDATE CENTER

# Update Center requires an internet connection to request https://update.sonarsource.org
# It is enabled by default.
sonar.updatecenter.activate=true

# HTTP proxy (default none)
#http.proxyHost=
#http.proxyPort=
# HTTPS proxy (defaults are values of http.proxyHost and http.proxyPort)
#https.proxyHost=
#https.proxyPort=

# NT domain name if NTLM proxy is used
#http.auth.ntlm.domain=

# SOCKS proxy (default none)
#socksProxyHost=
#socksProxyPort=

# Proxy authentication (used for HTTP, HTTPS and SOCKS proxies)
#http.proxyUser=
#http.proxyPassword=


#--------------------------------------------------------------------------------------------------
# LOGGING

# Level of logs. Supported values are INFO(default), DEBUG and TRACE (DEBUG + SQL + ES requests)
#sonar.log.level=INFO

# Path to log files. Can be absolute or relative to installation directory.
# Default is <installation home>/logs
#sonar.path.logs=logs

# Rolling policy of log files
#    - based on time if value starts with "time:", for example by day ("time:yyyy-MM-dd")
#      or by month ("time:yyyy-MM")
#    - based on size if value starts with "size:", for example "size:10MB"
#    - disabled if value is "none".  That needs logs to be managed by an external system like logrotate.
sonar.log.rollingPolicy=time:yyyy-MM-dd

# Maximum number of files to keep if a rolling policy is enabled.
#    - maximum value is 20 on size rolling policy
#    - unlimited on time rolling policy. Set to zero to disable old file purging.
#sonar.log.maxFiles=7

# Access log is the list of all the HTTP requests received by server. If enabled, it is stored
# in the file {sonar.path.logs}/access.log. This file follows the same rolling policy as for
# sonar.log (see sonar.log.rollingPolicy and sonar.log.maxFiles).
#sonar.web.accessLogs.enable=true

# Format of access log. It is ignored if sonar.web.accessLogs.enable=false. Possible values are:
#    - "common" is the Common Log Format, shortcut to: %h %l %u %user %date "%r" %s %b
#    - "combined" is another format widely recognized, shortcut to: %h %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}"
#    - else a custom pattern. See http://logback.qos.ch/manual/layouts.html#AccessPatternLayout.
# The login of authenticated user is not implemented with "%u" but with "%reqAttribute{LOGIN}" (since version 6.1).
# The value displayed for anonymous users is "-".
# If SonarQube is behind a reverse proxy, then the following value allows to display the correct remote IP address:
#sonar.web.accessLogs.pattern=%i{X-Forwarded-For} %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}"
# Default value is:
#sonar.web.accessLogs.pattern=combined


#--------------------------------------------------------------------------------------------------
# OTHERS

# Delay in seconds between processing of notification queue. Default is 60 seconds.
#sonar.notifications.delay=60

# Paths to persistent data files (embedded database and search index) and temporary files.
# Can be absolute or relative to installation directory.
# Defaults are respectively <installation home>/data and <installation home>/temp
#sonar.path.data=data
#sonar.path.temp=temp


#--------------------------------------------------------------------------------------------------
# DEVELOPMENT - only for developers
# The following properties MUST NOT be used in production environments.

# Dev mode allows to reload web sources on changes and to restart server when new versions
# of plugins are deployed.
#sonar.web.dev=false

# Path to webapp sources for hot-reloading of Ruby on Rails, JS and CSS (only core,
# plugins not supported).
#sonar.web.dev.sources=/path/to/server/sonar-web/src/main/webapp

# Elasticsearch HTTP connector, for example for KOPF:
# http://lmenezes.com/elasticsearch-kopf/?location=http://localhost:9010
#sonar.search.httpPort=-1

• 配置sonarQube Scanner

配置sonarQube Scanner也只需要将其中配置好的节点取消注释就可起效，与sonarQube的配置非常类似，sonarQube Scanner的文件夹更加简单

• bin:sonarQube Scanner运行命令文件夹
• conf:sonarQube Scanner配置文件夹
• lib:sonarQube Scanner存放的运行库文件（jar）

节点：

sonar.host.url:sonarQube URL地址（一般地，sonarQube与sonarScann应该默认都在同一台机器，如果是不在同一台机器，则需要替换成不同的IP，端口默认是9000）

sonar.sourceEncoding:sonarQube的默认源码编码方式

sonar.jdbc.username:sonarQube数据库用户名（上一节DB新增并授权用户名sonar）

sonar.jdbc.password:sonarQube数据库口令（上一节DB新增并授权用户密码sonar）

sonar.jdbc.url:sonarQube DB连接方式（一般来说，mysql与sonarQube都是安装在同一台机器，所以这里一般都是使用localhost，默认使用的是3306端口，如不在同一台机器，应该使用对应的IP地址，当然，上一节新增的用户也需要对相应的访问地址进行授权）

 

#Configure here general information about the environment, such as SonarQube DB details for example
#No information about specific project should appear here

#----- Default SonarQube server
sonar.host.url=http://localhost:9000

#----- Default source code encoding
sonar.sourceEncoding=UTF-8

#----- Global database settings (not used for SonarQube 5.2+)
sonar.jdbc.username=sonar
sonar.jdbc.password=sonar

#----- PostgreSQL
#sonar.jdbc.url=jdbc:postgresql://localhost/sonar

#----- MySQL
sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8

#----- Oracle
#sonar.jdbc.url=jdbc:oracle:thin:@localhost/XE

#----- Microsoft SQLServer
#sonar.jdbc.url=jdbc:jtds:sqlserver://localhost/sonar;SelectMethod=Cursor

• 系统配置

这一步的主要目的就是，能够使用命令行工具直接调用到sonarQube和sonarQube Scanner，我们可以将它们的目录加入至系统的环境变量中

加入环境变量SONAR_RUNNER_HOME，配置的值是sonarQube Scanner的目录，例如我本机的是C:sonar-scannersonar-scanner-2.8

在环境变量path的末尾加入sonarQube的bin位置，另外，在bin中，系统将支持windows系统和linux等系统，所以bin会有下级子文件夹，我本机的是64位系统，所以在末尾加入;C:sonarqubesonarqube-6.1inwindows-x86-64（记得前面加入分号）

再在环境变量path的末尾加入sonarQube Scanner的bin位置，这里我们已经将它的上级目录加入了一个系统变量中，只需要加上;%SONAR_RUNNER_HOME%/bin（记得前面加入分号）

 

• 运行系统

到此，我们打开sonarQube文件夹中bin命令运行系统（应该打开一个命令行工具就可以运行命令，但我个人习惯在文件夹中打开）

每次手动打开肯定是比较麻烦的，那就需要将sonarQube作为一个服务一直运行，即使重启电脑也可以正常访问，首先打开InstallNTService.bat，再运行StartNTService.bat

当提示中出现了红框标示的语句，说明系统就已经启动了

打开浏览器，输入http://localhost:9000/应该就可以打开系统了，第一次打开时，肯定是没有Project中的数据的，我这里已经运行成功了，所以才有数据。关于系统的一些管理功能，需要进一步的研究

• 查看sonar-scanner（扫描器）

当安装完成了sonarQube服务器，还需要查看sonar-scanner是否能够正确运行了，因为接下来需要使用sonar-scanner去静态扫描代码

使用命令查看，如果能够正常显示出sonar-scanner的信息则是正常的，否则请查看是否已经在环境变量中正确配置sonar-scanner

sonar-scanner -V

• 源码配置

至此，我们已经能够正常的访问到系统了，但这仅仅是基础，源码扫描最重要的就是要将源码提供给sonarQube Scanner扫描，并在sonarQube系统中显示结果。

还需要完成最重要的一步，配置源码扫描，我这里以实际的项目为例，在解决方案文件的同级目录加入一个配置文件sonar-project.properties

节点：

sonar.projectKey:运行项目的唯一关键字，其中允许"-"、"_"、"."、":"字符

sonar.projectName:项目名称，在系统中显示的项目名称

sonar.projectVersion:项目版本号

sonar.sources：源代码的路径，如有多个路径，可以使用分号进行分隔，如果该参数没有设置，则从当前目录进行扫描

sonar.language:语言的类型，因为我这里是C#，对应的就是cs了

以上是强制参数，是必须设置的，以下是可选参数-----------------------------------------------------------

sonar.projectDescription:定义项目的描述

sonar.sourceEncoding:编码方式，不知道有什么实际的用处

sonar.binaries:指定编译后代码的路径，如类或二进制，逗号隔开，不兼容Maven，使用Maven时会在Manven默认项目路径下找编译后的代码

sonar.tests:指定单元测试代码的路径，使用逗号隔开

sonar.libraries:指定第三方包的路径，如java的jar包

sonar.importSources:有时，出于安全或其他原因，项目源代码不允许存储和查看。默认为true(我并未处理该节点，扫描完成后一样可以查看源代码，不知道什么原因)

sonar.projectDate:记录历史数据或某些事件时，极有必要自定义此参数。在版本控制中也会使用此参数，格式如：yyyy-MM-dd，默认是当前时间

sonar.exclusions:指定不纳入分析的文件，使用逗号分开

sonar.skippedModules:部分项目模块可能不需要纳入分析，以防影响整个项目的分析指标，例如集成测试或自动生成的代码（ESB生成的接口文件等）

sonar.includeModules:需要分析的模块，其他模块会被忽略，注意：根路径必须加入

sonar.branch:管理项目分析，同一个工程的两个项目分析在sonar中任务是两个不同的项目

sonar.profile:通过sonar的Web接口， 可以定义很多质量规则，也可以方便的和已有的规则进行关联

sonar.skipDesing:禁用Java字节码分析，从sonar 2.0，支持Java自己的字节码分析，默认为false

sonar.phase:分析前执行Maven指令

sonar.java.source:Java源代码的版本，sonar不使用该属性，插件可能会用到，如PMD

sonar.java.target:Java源代码的版本，sonar不使用该属性，插件可能会用到，如Clover

sonar.findbugs.excludesFilters:支持使用Findbugs的忽略过滤器

# Required metadata
sonar.projectKey=Workbench
sonar.projectName=Esquel.WebWorkbench
sonar.projectVersion=1.2.1
# Comma-separated paths to directories with sources (required)
sonar.sources=.
#sonar.binaries=binclasses
# Language
sonar.language=cs
# Encoding of the source files
sonar.sourceEncoding=UTF-8

• 运行命令

在源码的文件夹按住shift键，鼠标右键，在此处打开命令窗口，打开了命令窗口后，直接输入sonar-runner.bat(如果该命令找不到，则需要查看一下，是不是已经将目录加入至环境变量中)

另外还发现另一种命令执行的方式，即使用命令并传入必须的参数，这样，就可以不用在待扫描的项目文件路径中加入sonar-project.properties配置文件，比较简单，但比较容易出错，使用命令时需要先确定好参数再运行。

sonar-scanner -Dsonar.projectKey="newproject" -Dsonar.projectName="newprojectname" -Dsonar.projectVersion="1.6" -Dsonar.sources="." -Dsonar.language="cs"

然后回车，现在，sonarQube Scanner开始扫描C#代码了，并等待完成，我在本机的处理速度还是相当快的

其中扫描代码时，也可以在命令后面加入参数

-h :帮助

-X :产生Debug输出

-i :产生交互

扫描完成后，会自动停止，但命令窗口不会关闭

• 查看

  再次进入http://localhost:9000/即可进入系统，并查看到扫描的结果