Extending SonarQube with custom rules

SonarQube has today become our defacto standard for code analysis. We also use it for our migration projects when we define custom rules to check if the current application can be ported to the new technology stack.

The below links give a good overview of writing custom rules in SonarQube for Java, .NET and JS.

1. Custom Rules in Java
2. Custom Rules in .NET - using the Roslyn analyzer.
3. Custom Rules in JavaScript 

By leveraging the code templates and SDK given by these tools, it is easy to create new custom rules. Behind the scenes, the analysers first create a syntax tree of the code and then for each rule, a visitor design pattern is applied to run through all the nodes and apply the check/business logic.

After doing the analysis, it is also possible to auto-remediate / refactor the source code using predefined rules. The following open source tools can be used for auto-remediation.

http://autorefactor.org/html/samples.html
http://walkmod.com/
https://github.com/facebook/pfff

Static code analyzers for native mobile app development

Listing down the tools used by my mobility team for static code analysis of mobile apps.

For iOS, the most popular tool is Clang. The default IDE (Xcode) also comes with a static code analyzer in-built in the IDE.

Sonar also provides a commercial plug-in for Objective-C that can be very useful if you are already using Sonar for all other platforms. There is another open-source Sonar plug-in for Objective C available here - https://github.com/octo-technology/sonar-objective-c

For Android, the most popular static code analyzer is lint. Lint integrates very well with Eclipse and Android Studio.

Facebook recently released a open-source static code analyzer for Android and iOS called as Infer. Facebook uses Infer to detect bugs in its Android and iOS apps. 

Custom PMD rules using XPath

Writing custom rules in PMD using XPath is an exciting concept, but unfortunately there are not many good tutorials or reference guides available on the internet for this.

Recently, we wanted to write custom PMD rules to extract Spring JDBC calls from the code base. We utilized the PMD desiger that is provided OOTB in Eclipse to easily write the rules.

Just open Eclipse -> Preferences -> PMD -> Rule Designer.
In Rule Designer, copy-paste your source code and check the AST (Abstract Syntax Tree) that is formed. You can also copy the AST XML from the menu bar and paste it on to a text editor. Writing the XPath expression then becomes very very simple !!!

For e.g. for finding our the Spring JDBC query calls the XPath was:
//PrimaryPrefix[Name[starts-with(@Image,'jdbcTemplate.query')]]