ProstDev ProstDev
Tutorials May 25, 2021 · 5 min read

Easiest way to integrate automatic code review of MuleSoft apps using SonarQube and Docker Container

SonarQube is a platform for continuous inspection of code quality to perform automatic reviews with static analysis of code. The quickest way to have an installation of SonarQube up and running is using a Docker container. Let's use Docker Hub (the world's largest library and community for container images) to find a SonarQube Docker container to perform our MuleSoft applications code reviews.

By Leonardo Gonzalez
Easiest way to integrate automatic code review of MuleSoft apps using SonarQube and Docker Container

Using SonarQube and Docker

The quickest way to have an installation of SonarQube up and running is using a Docker container. SonarQube is a platform for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells and security vulnerabilities. This definition is not by me, it is from Wikipedia (https://en.wikipedia.org/wiki/SonarQube).

If you want to know more about SonarQube and all its capabilities, you can visit their website:

https://www.sonarqube.org/

On the other hand, Docker delivers software in packages called containers (they are ready to use). It is very cool, isn’t it? If you want to learn more about Docker, please visit their website:

https://www.docker.com/

Docker Hub

Let’s use Docker Hub (the world’s largest library and community for container images) to find a SonarQube Docker container to perform our MuleSoft applications code reviews.

Step by step:

  • Go to Docker Hub: https://hub.docker.com/
  • Sign in (or sign up if you do not have an account already)
  • Download the following image: mulesonarqube
  • Run the Docker image.

That is all! Now you have a SonarQube instance up and running, and it is ready to perform MuleSoft code analysis.

SonarQube Docker Container

To download the Docker image (it will take a while):

docker pull fperezpa/mulesonarqube:7.7.3

Terminal showing docker pull of the mulesonarqube:7.7.3 image with all layers Pull complete

To run the Docker image:

docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 fperezpa/mulesonarqube:7.7.3

You should see something like this in your command line:

Terminal with docker run then docker ps showing the sonarqube container Up on ports 9000 and 9092

Or in your Docker Desktop:

Docker Desktop showing the running sonarqube container's startup logs

If you want to know more about Docker Desktop (available for Windows, Mac and Linux), visit this website: https://www.docker.com/products/docker-desktop

Go to your SonarQube instance

That is it! Your SonarQube instance is ready to use.

Go to: http://localhost:9000/projects (use admin/admin as default username and password to Log In, you can change it later).

You should see something like this:

Empty SonarQube Projects dashboard with a Create new project button

There is a set of Rules already configured in your SonarQube instance to analyze MuleSoft code. You can find those clicking on Rules (top menu) and then on Mule (left menu). If you are feeling lucky you can modify those rules as needed.

SonarQube Rules page filtered by the Mule language, listing 54 Mule rules

There are two Quality Profiles: one for Mule 4 applications and another one for Mule 3 applications. The default Quality Profile is Mule 4.

Explore it by clicking on Quality Profiles (top menu) and then filtering profiles by Mule (picking list).

SonarQube Quality Profiles showing MuleSoft Rules for Mule 3.x and Mule 4.x, with 4.x default

Continue exploring your SonarQube, enjoy the trip!

Important! XML configuration

SonarQube already comes with an XML plugin. But…Your MuleSoft code is also XML. The plugin we are going to use inspects XML files, so you need to remove the XML files from the default XML plugin in SonarQube. This will avoid the XML plugin checks for your MuleSoft application and lets the Mule plugin into action.

To do that, click on Administration (top menu), then Configuration and General Settings (top left menu), click on XML (left menu) and remove the .xml extension from the XML plugin configuration. You should see something like this (click on the red cross to remove .xml line):

SonarQube XML plugin File suffixes setting listing .xml, .xsd and .xsl with remove crosses

Then click on the Save button and you are done! Your SonarQube is ready to check your MuleSoft code.

XML File suffixes after removing .xml, now only .xsd and .xsl, with the Save button

Use the Maven Plugin

We are about to use a Maven plugin to verify the quality of our MuleSoft code using SonarQube. This plugin contains a set of rules and metrics that are going to be used and calculated every time a project is being inspected. This is a plugin developed by MuleSoft and it is unlicensed.

If you want to know more about this plugin, please refer to the official repository:

https://github.com/mulesoft-catalyst/mule-sonarqube-plugin

To use this plugin, open a command line and navigate to your MuleSoft project’s home directory and run the following command:

mvn sonar:sonar -Dsonar.host.url=http://localhost:9000 -Dsonar.sources=.\src
  • -Dsonar.host.url is the URL where your SonarQube instance is running.
  • -Dsonar.sources is the path where the code to analyze is (typically src folder under your MuleSoft project home).

I have quickly created a Kafka producer-consumer MuleSoft app and I will analyze this code.

You should see something like the following:

Terminal output of mvn sonar:sonar starting analysis of the kafka-producer project

Finally, the plugin completes the code analysis, and the report will be available at your SonarQube instance:

Maven output ending in ANALYSIS SUCCESSFUL and BUILD SUCCESS with the report URL

SonarQube Report

You will find the report in your SonarQube instance. Just navigate to Projects (top menu), you should see your project there.

SonarQube Projects list with the kafka-producer project Passed, showing 2 bugs and 5 code smells

Click on your project and explore the report details.

kafka-producer project overview with Bugs, Vulnerabilities, Code Smells and Duplications metrics

Let’s take a quick look at the Bugs section.

SonarQube Issues view listing two bugs including credentials should be managed with properties

Conclusion

The report is highlighting a bug that says that credentials and resources should be managed with application properties. This was intentional. The application has an HTTP Listener with hardcoded host and port values. This is not a good practice to develop MuleSoft applications, those should be placed in a properties file.

Bug detail showing the offending HTTP Listener config XML with hardcoded host and port 8081

You can also explore the Mule default Rules definition in your SonarQube instance and modify/add rules as needed. If you have different MuleSoft coding standards you can enrich that set of rules.

This is the first step to semi-automate code reviews for MuleSoft projects. After this you can integrate this Maven plugin with a CI/CD pipeline. This is very cool, right?

FAQs

Frequently asked questions about this post.

  • How do I get a SonarQube instance up and running for MuleSoft code reviews?

    The quickest way is a Docker container: pull the image with docker pull fperezpa/mulesonarqube:7.7.3, then run it with docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 fperezpa/mulesonarqube:7.7.3. Once it is running you have a SonarQube instance ready to perform MuleSoft code analysis.

  • How do I log in to the SonarQube instance after running it?

    Go to http://localhost:9000/projects and use admin/admin as the default username and password to log in; you can change it later.

  • Why do I need to remove the .xml extension from SonarQube's default XML plugin?

    Your MuleSoft code is also XML, and the Mule plugin is the one that should inspect those files. Removing the .xml extension from the default XML plugin stops it from checking your MuleSoft application and lets the Mule plugin take over. You do this under Administration, then Configuration and General Settings, then the XML section, removing the .xml line and clicking Save.

  • How do I run the SonarQube code analysis on my MuleSoft project?

    Open a command line, navigate to your MuleSoft project's home directory, and run mvn sonar:sonar -Dsonar.host.url=http://localhost:9000 -Dsonar.sources=.\src, where -Dsonar.host.url is the URL where your SonarQube instance is running and -Dsonar.sources is the path to the code to analyze (typically the src folder under your MuleSoft project home). When it finishes, the report is available in your SonarQube instance under Projects.

  • Why did SonarQube flag a bug about credentials in the example project?

    The example application has an HTTP Listener with hardcoded host and port values, which was done intentionally. The report highlights that credentials and resources should be managed with application properties instead, since hardcoding them is not a good practice for MuleSoft applications.

  • Can I customize the rules SonarQube uses to review MuleSoft code?

    Yes. There is a set of Mule rules already configured (found under Rules, then Mule), plus two Quality Profiles, one for Mule 4 applications and one for Mule 3, with Mule 4 as the default. You can explore the default Mule rules and modify or add rules as needed to match your own MuleSoft coding standards.

MuleSoft Docker SonarQube Maven CI/CD
Search

Loading search…