SonarQube and Sonatype Nexus IQ Server What is it and how does it relate to us?
What is SonarQube? An open source tool to measure and analyze to quality of source code Supports over 20 different languages Ability to analyze within your CI Engine or locally on your IDE Architecture & Design, Complexity, Duplications, Coding Rules, Potential Bugs, Unit Test & Comments (from APIs) Creates a homogenized and centralized report displayed on an easy-to-read dashboard of metrics defined by the user/team Lots of plugins with other ALM tools to ensure quality code is written before put into production
Why SonarQube? Utilizes static and dynamic analysis tools Focused on the 7 axes of code quality rather than just bugs and code complexity Can be used as a plugin alongside CI servers so centralizes the build and code analysis
SonarQube Architecture
However, this only checks the built code from developers However, this only checks the built code from developers.. What happens before and after that?
What is Sonatype Nexus IQ Server? Consists of three separate parts that work together Auditor Firewall Lifecycle
Why Sonatype Nexus IQ Server? Provides governance and oversight of the entire software supply chain through monitoring all components and artifacts Integrates with many other DevOps related and existing tools used within HSBC
Supply Chain Flow