Code Reviews with Stash and SonarQube

SonarQube is well-known to be one of the best tools to manage code quality. Through its extensive plug-in system, it supports the static analysis of all the common programming languages. While we think SonarQube is great, we think that a strong integration with Atlassian’s Stash makes code reviews even more effective. With our add-on Sonar for Stash, we provide an integration into Stash that allows a developer to never leave the Stash UI, to see all found issues, duplicate code lines and coverage information in the diff of the pull request (and only there), and to prevent code from being merged into another branch if configurable quality thresholds are not satisfied.

While the setup for this add-on requires an installation of SonarQube which itself needs a database — thus being more complicated than Code Review Assistant discussed in the last blog post — it is more powerful because it supports a wide range of programming languages through SonarQube’s powerful plug-in system.

To give you an idea of why we think that the tight integration between Stash and SonarQube is beneficial, we show you a typical issue often found in Java code bases where one of the holy rules of Java programming has been violated (“Always override hashCode and equals together”):

A typical issue in a Java code base: hashCode() is overwritten, but equals() is not.

Sonar for Stash lets you comment the found issue, create a task for it, but also to mark it as a false positive. And it also shows the technical dept calculated by SonarQube for the specific issue. It also shows the most important statistics of the two involved branches of a pull request on Stash’s overview page:

Pull request statistics provided by the Sonar for Stash plug-in.

Please note the yellow exclamation mark which means that this pull request cannot be merged because the defined quality thresholds (e.g., maximum increase of technical debt by a percentage) are exceeded. If you hover over the exclamation mark, Sonar for Stash displays the details of why this pull request is not allowed to be merged. With this feature, bad code will never be merged again into your master branch!

In the next blog post we will discuss the possibilities of our Stash plug-in and SonarQube by trying out a rather ancient programming language.