May 2, 2013

Installing sonar source on Mac OSX

Update 30 June 2015

Part 2 is here with further instructions

Sonar Source is a an open source, browser based tool to manage code quality. You download and install it, setup some language specific plugins then let it loose on your codebase.

It basically reports on data generated by doing a static analysis of your code on things like:

  • Duplicate code
  • Comment coverage
  • Coding rules
  • Unit tests
  • Code complexity etc

Installing it on a Mac is relatively painless, but there are quite a few steps to follow. Luckily brew comes to the rescue, so simply install it along with sonar-runner:

brew update
brew install sonar
brew install sonar-runner

The way it works is, Sonar itself is just a reporting tool. It needs data to report on. Sonar-runner is the tool that actually does the static analysis of your codebase and then stores that data in a local datastore. You have several options to use, I chose MySQL.

Make sure MySQL is running and create a new database to hold the data generated by sonar-runner. I called mine _sonarsource:

CREATE DATABASE sonar_source;

Create a new user (sonar/sonar) and set privileges:

CREATE USER 'sonar'@'localhost' IDENTIFIED BY 'sonar';
GRANT ALL PRIVILEGES ON sonar_source.* TO 'sonar'@'localhost';

Now you need to set the sonar configuration options, make sure you enter the correct database name (_sonarsource in our case). You can comment out most options except credentials and mysql (so comment out the embedded database):

vi /usr/local/Cellar/sonar/3.5.1/libexec/conf/

You also need to specify in the sonar-runner properties file which database to connect to:

vi /usr/local/Cellar/sonar-runner/2.1/libexec/conf/

For me I uncommented out the MySQL connection details, and changed the databaes name in the connection string to _sonarsource

You should now be able to launch sonar, it’s a web based tool so everything is managed in a browser. Open a terminal and type:

sonar start

That works because sonar is in your path (via brew). The command will launch sonar so navigate to http://localhost:9000 in your browser of choice. Login (admin/admin) and have a look around. Sonar takes around 20 seconds to fully start, so be patient.

Now you want to install some quality profile plugins for any supported language that you need (javascript, php etc). Navigate to:

Settings -> Configuration -> Update Center

Click on the Available Plugins tab and install what you need. I installed:

  • JavaScript
  • PHP
  • Python
  • XML

You’ll need to restart sonar for the installation(s) to take effect.

sonar restart

Almost there…

Now in the terminal, go to the root directory of a project you want sonar to inspect, and create a project specific properties file:

cd myproject

Here’s a sample file:

# required metadata
sonar.projectName=My Project Name

# optional description
sonar.projectDescription=Describe your project here

# path to source directories (required)

# path to test source directories (optional)

# path to project binaries (optional), for example directory of Java bytecode

# optional comma-separated list of paths to libraries. Only path to JAR file is supported.

# The value of the property must be the key of the language.

# Additional parameters

Note the sonar.language option for JavaScript is js. That’s kinda hard to find, so if you want to have code coverage for JavaScript make sure you get that right or the runner will just throw errors.

Finally in the root directory of your project you can now execute the sonar-runner by typing:


This is the step that’s actually examining your code, it only took about 10 seconds for me. Once that’s finished go back to the sonar webpage (localhost:9000) and you should magically have a project setup to review.

There’s a tonne of information there. You’ll find generic things like number of lines of code, percentage of comments in the codebase etc. But you’ll also potentially get a lot of violations. Think of linting etc, style of coding conventions and the like. The JavaScript quality control plugin in particular is pretty opinionated so your mileage may vary as to the usefulness of sonar.

It’s a fantastic tool, so keep exploring :)

Update 6th May 2013

Excluding files

If you want to exclude certain files that are included in your sonar.sources property you can use wildcard matches. Note that although you can do this in the web console, that would be persisted in the local datastore but not in any project version control. I recommend putting this exclusion property in your file.

So, if you wanted to include everything in the scripts directory except the vendor folder:


Out of memory errors

If sonar-runner is parsing a large codebase you might get an error like the following:

Caused by: java.util.concurrent.ExecutionException: java.lang.OutOfMemoryError: Java heap space

Note: you can get more verbose output from the runner by adding the e flag:

sonar-runner -e

You can increase the Java heap size by running the following:

export SONAR_RUNNER_OPTS="-Xmx512m -XX:MaxPermSize=512m"

© Michael Sharman 2017