Creating and maintaining quality code can sometimes be a challenge, especially in the face of feedback and changing requirements for both products and client work. In addition to spending the effort to perform the usual code review processes, TEAM IM takes advantage of the code scanning software SonarQube to analyze the codebase for projects. SonarQube has many different functions, which generally fall under the camps of finding issues with blocks of code or else looking at the project as a whole.
When looking at individual blocks of code, the most useful thing that SonarQube will analyze are bugs and typos. One specific example is that it will call out if there is an execution branch where an object could be null when a function is called on in, and inform you that there is potential for a NullPointerException. Another flagged item is resources that use Streams that aren't closed properly, which can cause memory problems in the application if left unresolved. SonarQube will also note if a particular function or object has been deprecated, encouraging the developer to make the necessary updates.
The other primary benefit that SonarQube provides comes from performing an analysis of the wider codebase. This allows SonarQube to call out code duplications across different files in the project. This is useful as duplications can cause issues both in maintaining code, but also with introducing bugs if there are two slightly different implementations of the same logic and the wrong one is accidentally called. In the same vein, it will identify if a particular string is used repeatedly in the project and suggest using a constant to reduce the chances of a bug caused by a typo. Finally, SonarQube integrates with automated testing scripts to easily identify what percentage of a codebase is covered by tests and what execution branches have been missed entirely.
In addition to SonarQube, our quality pipelines have an additional step to run an OWASP scan on the project's dependencies. This gives a clear view into any vulnerabilities that the project's imported dependencies might have. This is an important step as it informs our decision for when an upgrade should be performed on the frameworks that the codebase is built upon. These upgrades can be time consuming but are necessary to mitigate issues, such as the widespread log4j vulnerability that was discovered a few years ago. Even when there isn't a larger vulnerability in play, OWASP is a key point in tracking dependency versions, making it easy to maintain project stability and security.
Overall, the use of SonarQube and OWASP scans allow TEAM IM to easily track down potential issues before they occur, resulting in quality, stable applications.