Introduction to SonarQube and Its Installation


In today’s fast-paced software development world, delivering secure, reliable, and maintainable code is critical. SonarQube is one of the most powerful tools used in DevOps pipelines to continuously inspect code quality and detect bugs, code smells, and security vulnerabilities.
1. What is SonarQube?
SonarQube is an open-source platform developed by SonarSource. It is designed to analyze and monitor code quality automatically, It performs static code analysis for:
Bugs: These are actual errors in your code which can cause problems while running the application. For example, writing the wrong condition or missing a bracket.
Code Smells: These are not errors but bad practices. The code may work, but it is written in a complicated or messy way, which makes it hard to understand or maintain.
Vulnerabilities: These are security issues in your code. Hackers can use these weak points to attack your system. For example, hardcoding a password or not validating user input.
Duplications: When the same piece of code is repeated in many places, it becomes difficult to manage. Changing in one place means you have to change it everywhere.
Code Coverage: This checks how much of your code is tested by automated tests. More coverage means your code is safer because most parts are tested. Less coverage means some bugs may not be caught.
Backend & Access
Default Port:
9000
Built-in Database (for testing): H2
Supported DBs: PostgreSQL, MySQL, Oracle, MS SQL Server
2. What Does SonarQube Do?
SonarQube is a tool that automatically checks the quality of your source code and helps you fix problems early. It runs during builds and gives clear feedback.
1. Scans Your Code Automatically
When you build your project (using tools like Maven, Gradle, Jenkins, etc.), SonarQube scans your code line by line and checks for issues.
2. Detects Quality Issues
SonarQube highlights problems like:
Unused variables
Wrong logic or conditions
Duplicate code
Complex methods
Missing or poor comments
Unfollowed coding standards
Poor exception handling
Potential bugs
This helps you fix things before production.
3. Enforces Coding Standards
SonarQube checks if you're following standard Java coding rules or your custom team rules — like naming conventions, indentation, etc.
4. Checks for Unit Test Coverage
It checks how much of your code is tested with unit tests and gives you the percentage. You can set a rule like:
"At least 80% of code should be covered by tests."
5. Gives Code Ratings (A to E)
SonarQube gives letter grades for:
Reliability – How many bugs?
Security – Are there any vulnerabilities?
Maintainability – How many code smells (bad coding practices)?
Coverage – Is the code well tested?
Duplications – Are there repeated code blocks?
6. Shows a Visual Dashboard
It gives a dashboard with:
Graphs
Charts
Issue lists
Trends over time
So you can track and improve your code regularly.
7. Quality Gates Block Bad Code
You can set rules like:
No critical bugs
Coverage must be > 80%
Duplications < 5%
If any rule fails, SonarQube can block the build.
8. Shows Time to Fix Each Issue
SonarQube tells you how much time it may take to fix each issue.
For example:
Rename variable: 2 minutes
Fix complex logic: 10 minutes
This helps you plan better and fix faster.
3. Similar Tools to SonarQube
SonarQube – Checks code quality, bugs, security issues, and duplication during development.
Checkmarx – Finds security vulnerabilities directly in your source code.
Coverity – Detects bugs and defects early, especially in large or complex codebases.
Fortify SCA – Scans code for security flaws and helps meet compliance standards.
Veracode – Offers cloud-based tools to test app security across your entire software
4. Installation Steps (RHEL / EC2)
SonarQube Prerequisites
1. Hardware Requirements:
CPU: Modern multi-core processor
RAM: Minimum 2GB (4GB recommended) – Go with t2.medium instance
2. Software Requirements:
Operating System:
Linux (preferred)
Windows
macOS
1. Connect to EC2
ssh -i your-key.pem ec2-user@<your-ec2-public-ip>
2. Switch to Root
sudo su -
3. Fix Time Sync (Avoid GPG Errors)
- To fix time sync issues and avoid GPG errors during package operations, enable NTP, set the correct timezone, and restart time sync services.
timedatectl set-ntp true
timedatectl set-timezone UTC
systemctl restart chronyd || systemctl restart systemd-timesyncd
timedatectl # Confirm NTP is synchronized
4. Install Java 17 (Amazon Corretto)
- Amazon Corretto 17 (Java 17) on an RHEL-based system (e.g., Red Hat, CentOS)
rpm --import https://yum.corretto.aws/corretto.key
curl -Lo /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo
yum install -y java-17-amazon-corretto-devel --nogpgcheck
Verify Installation
java --version
5. Set Required Kernel Parameters
sysctl -w vm.max_map_count=262144
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
6. Install Required Packages
yum install wget unzip -y
7. Download and Extract SonarQube
Don't Just Follow Any Guide Online — Avoid Hardcoded Links
Note: Never download SonarQube from random blogs, unofficial sources, or blindly use hardcoded links.
Always visit the official website: https://www.sonarsource.com/products/sonarqube/downloads/
Scroll and view historical versions
- Choose your desired version ,click on the Documentation link beside the version
- In the docs, you'll find: Java version compatibility (e.g., "Supports only Java 17")
- Right-click the download button : Select “Copy Link”
- Navigates to the
/opt
directory, a common location for installing third-party applications.
cd /opt
sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.9.8.100196.zip
- Downloads the SonarQube 9.9.8 ZIP archive from the official SonarSource distribution site.
sudo unzip sonarqube-9.9.8.100196.zip
- Extracts the contents of the ZIP file into
/opt
.
sudo mv sonarqube-9.9.8.100196 sonarqube
- Renames the extracted folder to a simpler name:
sonarqube
, for easier reference in scripts and paths.
8. Create a Dedicated User
useradd sonar
- Creates a new Linux user named
sonar
.
2. Allow sonar
user to run commands as root (without password)
visudo
- Opens the sudoers file safely for editing.Add this line
sonar ALL=(ALL) NOPASSWD: ALL
- Allows the
sonar
user to run any command as root without entering a password.
3. Give ownership of Sonarqube folder to sonar user
chown -R sonar:sonar /opt/sonarqube
- Changes the ownership of the
/opt/sonarqube
directory (and all files inside) to usersonar
.
4. Set proper permissions on SonarQube folder
chmod -R 775 /opt/sonarqube
- Gives read, write, and execute permissions to the owner and group, and read + execute to others.
9. Configure Environment for sonar
User
su - sonar
Add to ~/.bashrc
:
echo 'export JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto' >> ~/.bashrc
echo 'export PATH=$JAVA_HOME/bin:$PATH' >> ~/.bashrc
source ~/.bashrc
10. Start SonarQube
cd /opt/sonarqube/bin/linux-x86-64/
sh sonar.sh start
5. Access SonarQube
- Enable Port 9000 in Security Group
Open in a browser:
Default credentials:
Username:
admin
Password:
admin
Subscribe to my newsletter
Read articles from Kandlagunta Venkata Siva Niranjan Reddy directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
