Installation

• Download SonarQube from https://www.sonarqube.org/downloads/
  • If you are using Java 8, you need to download SonarQube 6.7.x LTS (look for Historical Downloads on the website)
  • If you are using Java 11 - SonarQube 7.9.x LTS (look for Long term support area on the website)
• Unpack the SonarQube ZIP file
• Download the latest sonar-c-plugin.jar and sonar-cxx-plugin.jar from https://github.com/SonarOpenCommunity/sonar-cxx/releases
• Insert both jar files into the SONARQUBE_HOME/extensions/plugins extensions directory (within the unpacked ZIP file)
• Start SonarQube and Login
  • On Windows 10, e.g. via SONARQUBE_HOME/bin/windows-x86-64/StartSonar.bat
  • Go to http://127.0.0.1:9000 as soon as "SonarQube is up" is announced
  • Default login is user admin, password admin
• Navigate to Administration -> Marketplace and make sure the plugins "C (Community)" and "C++ (Community)" are installed

Configuration - General

• Additional configuration can be done under Administration -> Configuration -> General Settings within the "C (Community)" and "C++ (Community)" areas

Configuration - Quality Profiles

• You need to enable for which kinds of problems both plugins should scan. This needs to be done initially, as otherwise they will not detect anything by default.
• Example for C (Community)
  • Go to Quality Profiles, click on the downwards arrow next to the "Sonar way (Built-in)" profile within the "C (Community)" area. Click Copy. Give it a catchy name, like "Sonar way - C"
  • A new quality profile pops up, you see the Rules (Bugs, Vulnerabilities, Code Smells) in the left table. You can click "Activate more". In the next table, you see the rules sorted by the same types. You can click all three types on the left side and mark them this way - if you want and then click on "Bulk Change" and "Activate In "Sonar way - C"" to activate all rules within our newly created Quality Profile. You have to acknowledge the change and SonarQube will report back as soon as the changes are done.
  • You can now navigate back to Quality Profiles, click on the downwards arrow next to the "Sonar way - C" profile within the "C (Community)" area and click on "Set as Default".
  • With this change, your newly created profile will now be used for the next scans.

Prepare first scan of C Code

• Download SonarScanner from https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/
• Unpack the SonarScanner ZIP file, move the folder to an easy to reach destination, e.g. D:\
• Within the source project folder you want to scan, create a file called "sonar-project.properties" with following content:

# must be unique in a given SonarQube instance
sonar.projectKey=TestApplication
# defaults to 'not provided'
#sonar.projectVersion=1.0
# Path is relative to the sonar-project.properties file. Defaults to .
sonar.sources=.
#----- Default SonarQube server
#sonar.host.url=http://localhost:9000
# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8
# project is c, please scan with c plugin (one needs to be enabled)
sonar.language=c
# project is c++, please scan with c++ plugin (one needs to be enabled)
#sonar.language=c++

First scan of C Code

• Open up a shell within the project folder with the sonar-project.properties file
• Within this shell, execute SonarScanner by starting its sonar-scanner exectubale, e.g. "D:\sonar-scanner-4.5.0.2216-windows\bin\sonar-scanner.bat"
• The scanner will now work through the project and once its done, send the data to the SonarQube server, where it will be computed and shown as project

More infos

• https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Install-the-Plugin
• https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Manage-Quality-Profiles
• https://github.com/SonarOpenCommunity/sonar-cxx/wiki/Scan-Source-Code