Code Quality Analysis with Sonar

Clean your Java code and make it a long-term asset

Jonathan Manera
5 min readJun 3


Photo by Markus Winkler on Unsplash

SonarQube is an open-source platform for continuous code quality inspection. This tool provides a detailed analysis of bugs, code smells, vulnerabilities, and duplications in source code.

Static code analysis rules provided by Sonar can help you identify bugs, bad practices, and vulnerabilities. This may encourage you and your team to follow the same code standards.

As a part of this article, we will look at how to address quality issues in Java code using Sonar.

Setting Up SonarQube

To setup the server, we will use SonarQube Community Edition in Docker.

We need to run the LTS (long-term support) version of the official SonarQube Docker image.

Execute the following Docker command to start a server on your machine:

docker container run -d -p 9000:9000 --name sonar sonarqube:lts

Sonar server runs on port 9000. Open the Sonar UI at localhost:9000 and wait for it to start.

You will be asked to log in once the server starts. The default username/password is admin/admin.

Next, you may need to change your password.

Now that you’re logged in, click “My Account ”.

In the “Security” tab, you can create an access token. We will use the token later to analyze a project example.

To create a token, specify the name, type, and expiration. Fill in the fields and click on the “Generate” button.

Copy the generated token, and save it for later.

Setting Up the Project

Next, we will use a project that intentionally includes poor quality practices as per Sonar rules for Java. This project is available in my GitHub.

In the code snippet below, the pom.xml file includes the Sonar Maven Plugin to trigger SonarQube analysis.


Add the plugin and run this:

$ mvn sonar:sonar \

Here, you need to replace <generated-token> with the token created earlier.

After running the command, you should see your project in the Projects dashboard.

Projects dashboard

Sonar Concepts

Based on the example project results, let’s grasp some important concepts to know using Sonnar.

Code analysis results for the loan-app project


Sonar defines bugs as…

An issue that represents something wrong in the code. If this has not broken yet, it will, and will probably break at the worst possible moment. This needs to be fixed as soon as possible.

Example: My code has a connection that is not closed after use. As a result, we are in violation of RSPEC-2095.


Sonar defines vulnerabilities as…

A security-related issue that represents a backdoor for attackers.

Example: A hard-coded password was found in my code. This violates RSPEC-6437.


Sonar defines Security Hotspots as…

Security-sensitive pieces of code that need to be manually reviewed. Upon review, you’ll either find that there is no threat or that there is vulnerable code that needs to be fixed.

Example: I have debug features activated in my code, which is a security-sensitive issue because simplify the work of attackers. In RSPEC-4507, this risk is described.

Code Smells

Sonar defines Code Smells as…

A maintainability-related issue in the code. Leaving it as-is means that at best, developers maintaining the code will have a harder time than they should when making changes. At worst, they’ll be so confused by the state of the code that they’ll introduce additional errors as they make changes.

Example: I have defined a generic exception such as RuntimeException. This is an issue because it prevents identifying true, system-generated exceptions from application-generated errors. In RSPEC-112, this issue is described.

Read more about Sonar concepts at

Clean As You Code With SonarLint

Clean as You Code is an approach to code that aims to eliminate quality issues as early as possible. This allows developers to focus on maintaining high standards and taking responsibility for any quality issues that may arise in their code.

Configuring SonarLint in IntelliJ

Using IntelliJ you can install SonarLint plugin as shown below.

Once the plugin is installed, go to the “SonarLint” tab and click on the configuration icon.

Choose “Bind project to SonarQube/SonarCloud” and then click “Configure the connection…”.

Create a new connection by clicking the “+” button.

Enter the Connection Name, pick SonarQube, set the URL, and click “Next”.

Set the “Token” and click “Next”. I recommend using a user token.

Select “Next”.

Finally, click on “Create ”.

Now that the connection has been created, you will be able to bind your project to SonarQube.

You will be notified when SonarLint detects a violation of a rule. This will help you clean up your code as you go!

Thanks for reading. I hope this was helpful!



Jonathan Manera

If you wish to make a Java app from scratch, you must first invent the universe.