Only Software matters

Experiences in software development

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 638 other followers

  • MVB

  • JavaCodeGeeks

    Java Code Geeks

  • My recent tweets

Archive for the ‘sonar’ Category

SonarQube workshop at Craft Conference

Posted by Patroklos Papapetrou on May 1, 2014

Last month, I had the chance to hold a SonarQube workshop at Craft Conference with a great success. A lot of people attended the workshop and my overall experience with the organization was awesome.

Below you can find some pictures taken during the workshop.








Posted in software, sonar | 3 Comments »

SonarQube 2014 user community survey

Posted by Patroklos Papapetrou on December 13, 2013

Hi everyone

As every year, it’s time for voting!! Not for plugins but for SonarQube’s unofficial 2014 survey.
You are all welcome to reply anonymously to 10 simple SonarQube-related questions. I expect that you won’t need more than 5 minutes to complete it.
The survey will be open until 31 of January and the results will be published in a following post some days later. The results will show not only this year’s answers but also a comparison with previous years 🙂

Just click on the following link and send your responses

Best Regards

Patroklos Papapetrou
Co-Author of Sonar​Qube​​ in Action

Posted in software, sonar | Tagged: , | Leave a Comment »

SonarQube meets scm statistics

Posted by Patroklos Papapetrou on September 21, 2013

Software quality is about a lot more than slinging good code. As a developer you use numerous tools, techniques, frameworks, and processes as you write, organize, build, test, refactor, and continuously improve your applications. SonarQube (Sonar), a free and open source quality platform, makes it radically easier to track, manage, and enhance the overall quality of your code. It leverages respected tools like Findbugs, PMD, and Checkstyle, and implements well-established best practices to provide a full-featured, robust platform for code quality measurement, review, and remediation. Originally Java-only, SonarQube now works with many other languages.

On the other hand your source code is (or at least should be) placed at a repository. Have you ever wondered who’s the developer that performs most commits or what time of the day dev-teams use to commit their changes back to the code base. These are some of the questions you can get by analyzing scm change logs. There are a few well-known open source tools (, ) for that purpose but each one of them handles only one scm type and all seem to be somehow deprecated. But the need of getting statistics about your code base still exists.

So some months ago I decided to start implementing the SonarQube SCM Stats plugin that gathers statistics from project’s source control repository and graphically display them in various ways. Currently the plugin – already in its third release –  focuses on collecting change logs for the most famous repository types. Git, Subversion, CVS, Mercurial , Perforce are partially or fully supported and after proper manipulation the plugin displays a SonarQube dashboard with the following graphs :

  • Commits / Author : displays only the top 10 authors ( list and pie chart views)
  • Authors activity : displays a stacked 3D bar chart about top 10 authors activities types : New files, modifications and / or deletions(red)
  • Commits / Hour :  displays in a bar chart the number of commits per clock hour
  • Commits / Day : displays in a bar chart the number of commits per week day
  • Commits / Month : displays in a bar chart the number of commits per month

And that’s only the beginning. In the next couple of months I intend to add some more graphs about file types, authors activities and of course improve and extend the coverage of other scm types.

If you already use SonarQube for tracking the quality of your source code, then SCM Stats plugin is a useful add-on that let you discover the secret statistics of your code base. Why don’t you give it a try?


Don’t forget to follow me at Twitter or connect with me at LinkedIn or subscribe to this blog’s RSS feed.

Posted in software, sonar | 1 Comment »

May … What a great month – June more to come…

Posted by Patroklos Papapetrou on June 3, 2013

Although I don’t like to write personal posts in this blog, this time I’ll make an exception.
May was an extremely busy month and I achieved some great things that will help my career’s evolution. In this post I summarize some important facts that happened and preview what’s coming for June.

– My first online interview was published at techdebt report blog.  It’s a very interesting discussion about technical debt and my recent blog post about resign patterns and how you can identify & remediate them using Sonar and Agile practices.

– I was invited and accepted to give a talk and hold a workshop at this year’s Øredev Conference (4-8th of November, Malmö, Sweden). Here are the links about both sessions

– The Sonar in Action Book is on the final stage and according to the plan end of June will be published. After several months, this will be the reward of my efforts.

– Near the publication date, InfoQ will publish an interview of mine about Sonar and a review about the book. As soon as the interview / review is online I’ll let you know!

– Changing jobs once again due to a family issue that made back return back to Thessaloniki from Athens


Don’t forget to follow me at Twitter or connect with me at LinkedIn

Posted in personal, sonar | Leave a Comment »

Sonar 2013 unofficial Survey results

Posted by Patroklos Papapetrou on February 16, 2013

The unofficial Sonar 2013 Survey has completed and you can find its results using the following link.

Thank you all of you who spend some time filling it.

Part of the survey is also presented below.



Favorite IDE



Which programming language you’d like to be supported in the future by Sonar






Posted in quality, sonar | Tagged: , , | 3 Comments »

Sonar 2013 Community Survey

Posted by Patroklos Papapetrou on December 11, 2012

It’s time for the Sonar Community to vote for Sonar’s annual survey.
As last year there’s an unofficial survey with 10 Sonar questions regarding the user community.

You are all welcome to reply anonymously to 10 simple Sonar-related questions. I expect that you won’t need more than 5 minutes to complete it.
The survey will be open until 31 of January and the results will be published in a following post some days later.

Just click on the following link and send your responses

Best Regards




Posted in quality, sonar | 3 Comments »

Fixing common Java security code violations in Sonar

Posted by Patroklos Papapetrou on September 21, 2012

This article aims to show you how to quickly fix the most common java security code violations. It assumes that you are familiar with the concept of code rules and violations and how Sonar reports on them. However, if you haven’t heard these terms before then you might take a look at Sonar Concepts or the forthcoming book about Sonar for a more detailed explanation.

To get an idea, during Sonar analysis, your project is scanned by many tools to ensure that the source code conforms  with the rules you’ve created in your quality profile. Whenever a rule is violated… well a violation is raised. With Sonar you can track these violations with violations drilldown view or in the source code editor. There are hundreds of rules, categorized based on their importance. Ill try, in future posts, to cover as many as I can but for now let’s take a look at some common security rules / violations. There are two pairs of rules (all of them are ranked as critical in Sonar ) we are going to examine right now.

1. Array is Stored Directly ( PMD ) and Method returns internal array ( PMD )

These violations appear in the cases when an internal Array is stored or returned directly from a method. The following example illustrates a simple class that violates these rules.

public class CalendarYear {
 private String[] months;
 public String[] getMonths() {
    return months;    
 public void setMonths(String[] months) {
    this.months = months;

To eliminate them you have to clone the Array before storing / returning it as shown in the following class implementation, so noone can modify or get the original data of your class but only a copy of them.

public class CalendarYear {
 private String[] months;
 public String[] getMonths() {
    return months.clone();    
 public void setMonths(String[] months) {
    this.months = months.clone();

2. Nonconstant string passed to execute method on an SQL statement (findbugs) and A prepared statement is generated from a nonconstant String (findbugs)

Both rules are related to database access when using JDBC libraries. Generally there are two ways to execute an SQL Commants via JDBC connection : Statement and PreparedStatement. There is a lot of discussion about pros and cons but it’s out of the scope of this post. Let’s see how the first violation is raised based on the following source code snippet.

Statement stmt = conn.createStatement();
String sqlCommand = "Select * FROM customers WHERE name = '" + custName + "'";

You’ve already noticed that the sqlcommand parameter passed to execute method is dynamically created during run-time which is not acceptable by this rule. Similar situations causes the second violation.

String sqlCommand = "insert into customers (id, name)  values (?, ?)";
Statement stmt = conn.prepareStatement(sqlCommand);

You can overcome this problems with three different ways. You can either use StringBuilder or String.format method to create the values of the string variables. If applicable you can define the SQL Commands as Constant in class declaration, but it’s only for the case where the SQL command is not required to be changed in runtime. Let’s re-write the first code snippet using StringBuilder

Statement stmt = conn.createStatement();
stmt.execute(new StringBuilder("Select FROM customers WHERE name = '").

and using String.format

Statement stmt = conn.createStatement();
String sqlCommand = String.format("Select * from customers where name = '%s'", custName);

For the second example you can just declare the sqlCommand as following

private static final SQLCOMMAND = insert into customers (id, name)  values (?, ?)";

There are more security rules such as the blocker Hardcoded constant database password but I assume that nobody is still hardcodes passwords in source code files…

In following articles I’m going to show you how to adhere to performance and bad practice rules. Until then I’m waiting for your comments or suggestions.

Posted in java, quality, software, sonar | Tagged: , , , | 10 Comments »

20 +2 Subjects Every Software Engineer Should Know … and the books you need

Posted by Patroklos Papapetrou on July 19, 2012

I recently read an extremely interesting and useful article about the 20 subjects that every software engineer should know or learn….
What is really cool is that it’s not restricted to products, languages but it describes generally accpepted technologies, methodologies and practices.
It applies both to  junior and exeperienced software engineers. The former have a guideline about the fields that need to focus whereas the latter have the chance to re-evaluate their knowledge.
What’s missing, IMHO, is to give the reader a clue about which are the best book(s) related to these subjects so in this post I give my advices on that. Of course the list of books is not complete and it’s just my opinion based on my experience.

Hope you find it useful as well!

1. Object oriented analysis & design

2. Software quality factors

3. Data structures & algorithms: Basic data structures like array, list, stack, tree, map, set etc. and useful algorithms are vital for software development. Their logical structure should be known.
6. Software processes and metrics
8. Operating systems basics
10. Network basics
13. Dependency management
15. ORM (Object relational mapping)
18. Internationalization (i18n)

Posted in agile, cdi, ci, continuous integration, java, quality, software, sonar, testing | 10 Comments »

Sonar 2012 Unofficial Survey

Posted by Patroklos Papapetrou on January 22, 2012

As you probably already know Sonar is the most popular platform for software quality. As a very wise person indicated to me, Sonar is today , what Continuous Integration was five years ago and Unit Testing a decade before. In my blog I have posted two Sonar-related articles. The first one is about the plugins you must not miss ( IMHO ) and the second describes the necessity of using it. Now, I feel it’s about time to see how the community uses Sonar, so I decided to perform an unofficial Survey.

I invite you then, to complete this short survey and share your opinion about this project. If you are not familiar with Sonar, it’s never too late 🙂


Sonar 2012 Unofficial Survey :


Posted in sonar | Leave a Comment »

5+1 Sonar Plugins you must not miss ( 2012 version )

Posted by Patroklos Papapetrou on January 1, 2012

This post is a revision of the original post, published last year and it covered Sonar version 2.8. Many months has passed and during this period the Sonar Team released four(4) new versions of the ultimate quality platform. The latest version ( 2.12 ) now includes JaCoCo in its core implementation and the existing plugin is now deprecated. Since I have included JaCoCo plugin in my previous post in top Sonar plugins I think it’s time to remove it and refine my list. So here is the 5+1 Sonar Plugins you must not miss for 2012!!

.I would like to clarify though some exceptions I have made prior to my final choice. I have excluded all plugins that have to do with additional languages and IDE to keep this post as much as objective I can. I have also excluded all commercial plugins for obvious reasons. After that assumptions I have limited my selections to the following categories :

  • Additional Metrics
  • Governance
  • Integration
  • Visualization / Reporting
Sonar itself comes with a variety of features that cover most of the needs of a software development team. However I consider that the following plugins are essential, especially for those that have adapted or trying to adapt agile practices. To be honest it was very difficult to select only 6 plugins!!
1.Hudson / Jenkins plugin
Although Sonar analysis can be easily triggered from several build tools (maven, ant etc.) I strongly believe that its native integration with the most famous open source CI server makes itself an important part of the continuous integration / deployment practice. The configuration is extremely easy and as proposed the best practice is to trigger Sonar at night builds. Team members can track day by day software quality, automatically, without bothering when a new analysis should run.
2.Timeline Plugin (2012 new entry)
How many times have you needed to see how much your source code has improved (hopefully) in the last weeks or months? Have you ever tried to compare basic quality indeces in a single graph? Timeline plugin integrates Google Visualization Annotated TimeLine component at project level and provides a flexible way to historical data regarding sonar quality metrics. Moreover it adds version and date milestones on visualization graph by providing in depth details about the evolution of a software project. Extremely useful for all team members ( developers, architects, testers even managers ).
3.Useless Code Plugin
It may looks similar to the Sonar Core feature named Duplicate Code, but it adds some more metrics, which I think are very useful especially for large or legacy systems. In general it measures how many lines can be removed from your code. It reports what is the number of unused private methods that can be safely removed and the number of unused protected methods exist in the code that can be removed after some more careful code examination. Finally it provides some more details about code duplication informing how duplicate lines are formed (i.e. x blocks of y lines )
4.SIG Maintainability Model Plugin
This plugin, as its name implies is an implementation of the Software Improvement Group(SIG) Maintainability Model. It reports ranking – from — :(very bad) to ++ (very good) on the following base indicators:Analysability, Changeability, Stability and Testability. The core idea for this ranking is to measure a series of base metrics such as Lines of Code(LOC), Duplications,Unit Tests,Complexity and Unit Size. Each of these metrics is then accounted into some of the mentioned indicators and the final result is representing the overall maintainability of the project. We can see the results of this analysis in a graphical (spider) presentation with all four axes of the model. With a glance a this graph you have a global and detailed at the same time view of how easy is to change and maintain your codebase. For me it is the first index I check every morning and if something is not + or ++ then we definitely have done something wrong 😉

5.Quality Index Plugin
Have you ever wanted to check a single number (indicator) and understand how healthy is your project? I am sure you have!! Well, the quality Index plugin is exactly what you are looking for. The plugin combines four weighted axes (complexity, coding violations, style violations, test coverage) of quality and produces a ranking between 0 (lowest) and 10(highest). Moreover it calculates a method complexity factor based on the complexity factor mentioned above. Have you ever tried to get a ranking of 10 with this plugin? I think it worths the effort! 🙂

6.Technical Debt Plugin
Last, but not least, the plugin that reports about the interest you have to pay as a developer, as a team, as a company. Technical debt is a term invented by Ward Cunningham to remind us that if we don’t pay our interest from time to time, then it is for sure that eventually this will make our software unmaintainable and hard to add new features or even find the root cause of defect. The plugin, which has a very powerful configuration, represents technical debt in four dimensions.

  • Debt Ratio : The percentage of current technical debt to the maximum possible technical debt.
  • Cost to reimburse : Cost in your currency to pay all interest and clean up your code
  • Work to reimburse : Same as above measured in man days.
  • Breakdown : Distribution to the following axes: Duplication, Violations, Complexity, Coverage, Documentation and Design

Be sure that you check its measures to avoid find yourself in bad situation like spaghetti code 🙂

I am pretty sure that there are plenty of interesting Sonar plugins so please feel free to post your comments with your list of them.

Posted in quality, software, sonar | 3 Comments »

%d bloggers like this: