Streamlining code quality and security in OpenLMIS

This blog post delves into our recent strategic move: the transition from SonarQube, a well-established code quality tool, to SonarCloud, a more modern, cloud-based solution. This shift is not only about embracing new technologies, but also about aligning with best practices in continuous code quality management and security. We’ll explore the motivations behind this migration, the benefits it brings, and how it positions OpenLMIS for a more robust and secure future.

OpenLMIS

openlmis

Open-source logistics management system, supporting healthcare supply chains, especially in resource-limited areas. For over eight years, SolDevelo has played a significant role in its development, making substantial contributions to its growth and functionality. Our commitment to high-quality code and stringent security protocols is crucial, as it directly impacts the reliable and secure management of medical supplies through the system.

Overview of the existing problem with our SonarQube server and Jenkins

Before the migration, OpenLMIS utilized a dedicated SonarQube server integrated with Jenkins to meet our code quality and integration standards. Initially, this setup served our needs, but as OpenLMIS grew, we encountered challenges in keeping the rule set for security up to date and scaling the system to handle the volume of code analysis required for maintaining consistently high code quality. 

The limitations of our SonarQube server – particularly its outdated security rules from 2013 and its inability to scale efficiently – underscored the critical need for a transition to a more advanced and flexible solution. This shift was essential to preserve and strengthen our dedication to coding excellence and the secure operation of OpenLMIS.

The Problem and Challenge

Outdated Rule Set in SonarQube

Our primary hurdle with the SonarQube server was its rule set, which became increasingly outdated. As software development and security paradigms evolved, the static rule set of SonarQube failed to incorporate many critical contemporary checks, essential for modern code quality and security standards. This limitation was significant, as it not only hindered our ability to detect and address emerging issues but also risked the integrity of OpenLMIS in the industry where cutting-edge security and reliability are non-negotiable.

Complex Migration Challenge

The task of migration was far from straightforward. We faced the daunting challenge of moving all of our repositories that were extensively connected with SonarQube. This migration was more than simply a technical change; it was a complete rewrite of our current codebase across many repositories. Our goal was to guarantee a smooth transfer without interfering with our ongoing development efforts.

Furthermore, the migration process uncovered several pre-existing bugs in our code that had previously gone unnoticed by the prior SonarQube configuration. We had to deal with these difficulties throughout the process, which complicated our duties. However, it also gave us a tremendous chance to significantly enhance the general quality and security of the OpenLMIS codebase. Transitioning to a more complex system while correcting pre-existing code issues required accurate preparation and communication. We were determined not only to make an efficient migration but also to use this opportunity to further strengthen our codebase.

The Solution: SonarCloud and GitHub Actions

After a comprehensive analysis of our needs and the limitations of our existing setup, we opted for SonarCloud in conjunction with GitHub Actions as our new, advanced solution. This strategic shift was aimed at resolving the challenges we encountered with SonarQube and Jenkins, particularly in terms of upgrading our security rules and improving our code quality procedures.

Why SonarCloud?

SonarCloud was the standout choice for its cloud-based service that ensures a constantly refreshed set of analysis tools and rules, pivotal for applying the latest OWASP Top 10 security standards. Unlike our previous server-based SonarQube, which was updated less frequently, SonarCloud keeps us at the forefront of security and code quality practices. Its support for a multitude of programming languages and prompt feedback on code quality are particularly valuable for our diverse and ever-evolving codebase.

The Role of GitHub Actions

GitHub Actions significantly enhanced the migration process, replacing Jenkins with a more flexible and adaptable platform for managing our CI/CD workflow. The automation of code analysis and testing processes has become considerably more efficient thanks to it. This new structure has not only shortened our processes but also increased consistency and dependability. The combination of GitHub Actions and SonarCloud has increased our capacity to undertake detailed and continuous code evaluations while maintaining high code quality and security requirements.

Importantly, GitHub Actions excels in promptly evaluating new code contributions, delivering feedback on potential errors within 3 to 5 minutes. This rapid turnaround is instrumental in swiftly identifying and addressing defects, thus narrowing the gap between development and deployment, and elevating the overall health of our code.

Implementing SonarCloud with OpenLMIS

1. Creating a SonarCloud Account and Linking to GitHub 

Our initial step in the integration process was to establish a SonarCloud account, which we accomplished using our GitHub credentials to facilitate a smooth setup. With the account ready, we then linked it to the existing OpenLMIS GitHub organization, a move that was instrumental for enabling seamless integration and automation. This foundational step ensured that all subsequent actions and analysis within our CI/CD pipeline would be synchronized across our development ecosystem.

2. Setting Up a Project in SonarCloud 

With our OpenLMIS GitHub organization linked to SonarCloud, the subsequent action was to establish a project within SonarCloud for each repository. This setup allows for a focused analysis of each codebase, enhancing the management and oversight of our projects. Repositories are imported into SonarCloud using the platform’s interface, which provides a centralized view of all projects.

sonar

The OpenLMIS organization dashboard on SonarCloud gives a general overview, indicating that we are currently managing over 20 active projects. This dashboard is instrumental for our team to monitor the health of each project, identify issues, and assess overall code quality, ensuring that every repository meets our stringent quality standards.

3. Configuring SonarCloud Analysis 

Once your projects are established in SonarCloud, the next crucial step is to tailor the analysis settings to suit the specific needs of your codebase. Configuring quality gates is a pivotal task; these gates serve as the benchmark that code changes must meet to be considered acceptable for deployment. They encompass a variety of criteria, such as code coverage thresholds, bug detection parameters, and vulnerability identification processes.

For most projects, starting with SonarCloud’s default settings is beneficial. These defaults are designed based on best practices and common standards that cater to a wide range of development scenarios. They provide a solid foundation for maintaining code quality and can be customized further as needed. Adopting these settings can save time and ensure a consistent level of code analysis from the outset, especially important when managing multiple projects with varying complexities.

4. Integrating with GitHub Actions 

The seamless automation of code analysis with each code push or pull request is facilitated by integrating SonarCloud with GitHub Actions. Achieving this requires the addition of a workflow file to each GitHub repository. This YAML file is the blueprint for your CI/CD pipeline, dictating every action to be taken, including the trigger of SonarCloud analysis upon code changes.
Below is the workflow file from the openlmis-requisition repository, which illustrates a typical setup:

name: SonarCloud OpenLMIS-requisition Pipeline
on:
 push:
   branches:
     - master
 pull_request:
   types: [opened, synchronize, reopened]
jobs:
 build:
   name: SonarCloud Analyze
   runs-on: ubuntu-latest
   steps:
     - uses: actions/checkout@v3
       with:
         fetch-depth: 0
     - name: Set up JDK 17
       uses: actions/setup-java@v3
       with:
         java-version: 17
         distribution: 'zulu'
     - name: Cache SonarCloud packages
       uses: actions/cache@v3
       with:
         path: ~/.sonar/cache
         key: ${{ runner.os }}-sonar
         restore-keys: ${{ runner.os }}-sonar
     - name: Cache Gradle packages
       uses: actions/cache@v3
       with:
         path: ~/.gradle/caches
         key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
         restore-keys: ${{ runner.os }}-gradle
     - name: Build with Docker Compose
       run: |
         curl -o .env -L https://raw.githubusercontent.com/OpenLMIS/openlmis-ref-distro/master/settings-sample.env
         docker-compose -f docker-compose.builder.yml run builder
         sudo chown -R $(whoami) ./
         cp ./build/reports/jacoco/test/jacocoTestReport.xml report.xml
         rm -rf ./build
     - name: SonarCloud Scan
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       run: ./gradlew sonarqube --info

This workflow is triggered on pushes to the master branch and when pull requests are opened, synchronized, or reopened. It includes steps for setting up the environment, caching dependencies to improve build speed, and executing the SonarCloud scan using Gradle. This example file can be used as a template, and teams are encouraged to adjust the parameters to fit the specific needs of their projects within OpenLMIS.

5. Running Your First Analysis 

Initiating your first analysis is as simple as making a commit to your repository. This action triggers the GitHub Actions workflow that you’ve set up in the previous steps. The workflow then runs the SonarCloud analysis, which analyzes your code for quality and security issues. Upon completion, the results are showcased in your SonarCloud dashboard, offering actionable insights into the state of your codebase.

sonarcloud github actions

The accompanying workflow summary image illustrates this process in action. It details each step taken by the GitHub Actions workflow, from setting up the job to the final SonarCloud scan, providing a visual confirmation of the tasks executed and their successful completion. This summary is not only a powerful tool for monitoring and troubleshooting the analysis process but also serves as a clear record of the actions performed during the CI/CD pipeline’s execution.

6. Reviewing Results and Making Improvements 

The culmination of your setup efforts is the ongoing review of analysis results that SonarCloud provides. It’s imperative to routinely inspect these results to pinpoint potential areas for enhancement within your codebase. This step involves a diligent examination of issues related to code quality, security vulnerabilities, and technical debt, as illustrated in the attached SonarCloud analysis report.

openlmis sonarcloud

The report visually presents key metrics, including bugs, vulnerabilities, and code smells, along with the coverage and duplication statistics. It serves as a comprehensive dashboard, offering a snapshot of the code’s current state and highlighting trends over time in the Main Branch Evolution section. By responding to these insights – such as by reviewing security hotspots and addressing reliability ratings on new code – you can systematically improve the overall health of the codebase.

As an exemplar of SonarCloud’s meticulous analysis, the Bugs section offers a detailed breakdown of potential issues in the code that could lead to errors in execution. 

sonarcloud

This section categorizes bugs by their severity and provides guidance on the estimated effort for resolution, ensuring that developers can prioritize and address the most critical issues first. The visual representation of these findings on the SonarCloud dashboard, as shown in the screenshot, allows teams to quickly understand the nature of each bug and the suggested modifications to enhance code reliability.

The Results

The migration to SonarCloud and GitHub Actions has yielded a substantial enhancement of OpenLMIS’s capabilities, particularly in the realms of security, code quality, and development efficiency.

Security and Code Quality Enhancements

The adoption of SonarCloud has significantly refined our capacity to detect and mitigate vulnerabilities. By incorporating the latest security protocols and the OWASP Top 10 standards, SonarCloud offers a rigorous and up-to-date defense mechanism. Our proactive efforts in utilizing these features have strengthened the OpenLMIS platform’s security framework. The improvements extend to code quality as well, where we’ve seen a notable increase in the resilience and maintainability of our codebase.

When contrasted with the previous SonarQube system, SonarCloud stands out for its more stringent quality gates. These enhanced standards ensure not only functional code but also secure and efficient operations. SonarCloud’s quality profiles cover a broader spectrum of rules, leading to a codebase that is not only dependable but also streamlined for clarity and maintenance. This has elevated our code quality standards to new levels, in line with SolDevelo’s commitment to delivering secure, reliable, and superior software via OpenLMIS.

Development Workflow and Process Improvements

GitHub Actions has transformed our CI/CD processes, allowing us to achieve more efficiency and reliability. Developers now receive rapid feedback on their code contributions, allowing them to address errors in minutes, and significantly shortening the time between development and deployment. 

As vulnerabilities are discovered, our team not only addresses them but also uses the information to improve our development process. This continual improvement has made our workflow more agile and responsive, promoting a development culture that prioritizes quality and security.

Feedback from our development team has been overwhelmingly positive. They have embraced the enhanced development experience and the optimized process that allows for faster iterations and constant progress. The new system’s capacity for rapid iteration and ongoing enhancement is pivotal to our objective of delivering secure and dependable software. These pivotal changes in our development workflow are crucial for maintaining OpenLMIS as a reliable healthcare logistics platform.

Conclusion

Realizing the Benefits

The initiative led by SolDevelo to transition OpenLMIS to SonarCloud and GitHub Actions represents a milestone in our relentless pursuit of excellence. By integrating these sophisticated tools, we’ve fortified the platform’s defenses in the face of the dynamic and demanding nature of healthcare logistics. This shift has not only enhanced our security and code quality but has also streamlined our operations, ensuring that OpenLMIS remains a robust and agile platform ready to meet future challenges.

Commitment to Community

Recognizing the complexities involved in such a technical migration, SolDevelo has compiled a comprehensive Migration to SonarCloud with GitHub Actions tutorial, detailing the entire setup process. Our goal is to foster knowledge sharing within the broader developer community, ensuring that our collective expertise contributes to the common good. This reflects our unwavering commitment to the continuous improvement of OpenLMIS and to empowering others by sharing the valuable insights we’ve garnered.

In conclusion, the transition to SonarCloud and GitHub Actions is more than just a technical upgrade – it is a confirmation of our dedication to delivering secure, reliable software that empowers healthcare logistics, today and into the future.

Technologies used

Author

Scroll to Top