In my previous Code Quality in the Age of AI-Assisted Development blog post, I talked about how generative AI is changing the way we code and its potential impact on code quality. I recommended using static code analysis tools to monitor AI-generated code, ensuring its security and quality.
In this blog post, I will explore one such static code analysis tool, SonarQube, and see how it improves the quality of AI-generated code.
What’s SonarQube?
SonarQube is a code analysis suite by Sonar.
It’s not just a single product but a suite of tools designed for code analysis:
- SonarQube IDE: An IDE plugin for code analysis during development.
- SonarQube Server/Cloud: A server side code analysis tool for CI/CD with quality profiles/gates and AI-focused modules.
I chose to investigate SonarQube for its comprehensive code quality and security coverage, broad language support, and recent advancements in AI-generated code analysis, including AI Code Fix and AI Code Assurance. Additionally, SonarQube IDE is free and SonarQube Server has a community edition that anyone can run locally, so it’s a good way to get started.
Install Gemini Code Assist (for individuals) + SonarQube IDE + SonarQube (Community Build)
Both Gemini Code Assist and SonarQube offer free versions, making them accessible for getting started.
You can install the Gemini Code Assist plugin for Visual Studio Code or Jetbrains IDEs and with Gemini Code Assists for individuals, you can use it at no cost, with no credit card required. Great!
Once you have the Gemini Code Assist installed, you should see the chat window in your IDE:
Next, you can install SonarQube IDE, also a free plugin for various IDEs. Once installed, you should see the new SonarQube section with rules and security hotspots:
Next, you want to set up a SonarQube server. SonarQube has a Community Build edition that you can install and run locally. Once you install it locally, start it:
./sonar.sh start
/usr/bin/java
Starting SonarQube...
Started SonarQube.
Visit the default URL, http://localhost:9000/projects and create a local project. In the end, you should see the landing page with your project listed:
Lastly, you need to connect SonarQube IDE to the local SonarQube server. You can do this under the Connected Mode in
SonarQube IDE, pointing to your local SonarQube server and binding your project files with the SonarQube Server. In the
end, this is what you should see under Connected Mode:
At this point, your IDE is set up with Gemini for code generation and SonarQube for code analysis.
SonarQube in action
We can finally start generating some code with Gemini Code Assist and see how SonarQube helps.
I start with this comment and hit Ctrl+Enter to let AI generate some code:
# Create a standalone Flask app for products in a supermarket with CRUD operations
Gemini Code Assist generates a basic Flask application for me (nice!), but I noticed issues flagged by SonarQube under
Security Hotspots and the Problems section in Visual Studio Code.
The first security issue is: Disabling CSRF protections is security-sensitive (python:S4502) for this line of code:
app = Flask(__name__)
I can also see the description of the issue and how to fix it within Visual Studio Code:
Nice! The issue is the lack of protection against CSRF attacks and the fix is simple:
from flask_wtf.csrf import CSRFProtect
app = Flask(__name__)
csrf = CSRFProtect()
csrf.init_app(app)
Next security issue highlighted is Delivering code in production with debug features activated is security-sensitive (python:S4507) for this line:
app.run(debug=True)
This is about having a debug flag enabled for production code and the fix is to change it to debug=False.
I already fixed two simple but important security issues in my AI generated code!
SonarQube also warns me about a code smell: Boolean checks should not be inverted (python:S1940):
When I check the problematic code, I realized that the if statement is a little convoluted:
if not request.json or not 'name' in request.json:
return jsonify({'message': 'Bad request'}), 400
Instead, we can have this:
if not request.json or 'name' not in request.json:
return jsonify({'message': 'Bad request'}), 400
That’s clearer and easier to understand!
Conclusion
Coding with AI tools like Gemini Code Assist accelerates development. However, it’s crucial to mitigate potential risks such as security vulnerabilities and code quality issues. However, over-reliance on AI can introduce risks such as security vulnerabilities, code smells, and style inconsistencies. Therefore, tools like SonarQube are essential for maintaining high code quality when leveraging AI-assisted development.
Are you aware of other code analysis tools for AI-generated code? Please share your recommendations in the comments below!