Zum Inhalt

Qodana Cheat Sheet

generieren

Überblick

Qodana ist JetBrains' Code-Qualitätsplattform, die die Smart-Code-Inspektionen von JetBrains IDEs zu Ihrer CI/CD-Pipeline bringt. Es bietet umfassende statische Analyse, Sicherheitslückenerkennung und Code-Qualitätsmetriken für mehrere Programmiersprachen mit tiefer Integration in Entwicklungs-Workflows.

ZEIT Anmerkung: Free tier verfügbar mit Einschränkungen. Bezahlte Pläne starten bei $0,50 pro 1000 Zeilen Code pro Monat.

Erste Schritte

Installationsmethoden

```bash

Docker (Recommended)

docker pull jetbrains/qodana-jvm docker pull jetbrains/qodana-js docker pull jetbrains/qodana-python docker pull jetbrains/qodana-php docker pull jetbrains/qodana-dotnet

CLI Installation

Linux/macOS

curl -fsSL https://jb.gg/qodana-cli/install | bash

Windows (PowerShell)

iex "& { $(irm https://jb.gg/qodana-cli/install-ps1) }"

Homebrew (macOS)

brew install jetbrains/utils/qodana

Snap (Linux)

sudo snap install qodana ```_

Schneller Start

```bash

Initialize Qodana in project

qodana init

Run analysis with Docker

docker run --rm -it \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-jvm

Run with CLI

qodana scan --project-dir . --results-dir ./qodana-results ```_

Projektaufbau

```yaml

qodana.yaml configuration file

version: "1.0" profile: name: qodana.recommended include: - name: All exclude: - name: "Unused import" - name: "Spelling" projectJDK: "11" bootstrap: | set -eu echo "Bootstrap script execution" ./gradlew build -x test ```_

Sprachunterstützung

JVM Sprachen (Java, Kotlin, Scala)

```bash

Qodana JVM Linter

docker run --rm -it \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-jvm

Supported build tools:

- Maven

- Gradle

- SBT

- Ant

Java-specific inspections:

- Code style violations

- Null pointer analysis

- Resource leak detection

- Performance issues

- Security vulnerabilities

```_

JavaScript/TypScript

```bash

Qodana JS Linter

docker run --rm -it \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-js

Supported frameworks:

- React

- Vue.js

- Angular

- Node.js

- Express

JS/TS inspections:

- ESLint integration

- TypeScript compiler checks

- React-specific issues

- Async/await problems

- Performance optimizations

```_

Python

```bash

Qodana Python Linter

docker run --rm -it \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-python

Python features:

- PEP 8 compliance

- Type checking with mypy

- Security vulnerability detection

- Code complexity analysis

- Import optimization

```_

PHP

```bash

Qodana PHP Linter

docker run --rm -it \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-php

PHP inspections:

- PSR compliance

- Security vulnerabilities

- Performance issues

- Type safety

- Framework-specific checks

```_

.NET (C#, VB.NET, F#)

```bash

Qodana .NET Linter

docker run --rm -it \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-dotnet

.NET features:

- Roslyn analyzer integration

- Security rule checks

- Performance optimizations

- Code style enforcement

- Framework compatibility

```_

Konfiguration

Grundkonfiguration

```yaml

qodana.yaml - Basic setup

version: "1.0" profile: name: qodana.recommended include: - name: All exclude: - name: "Unused import" - name: "Spelling" - name: "Typo" ```_

Erweiterte Konfiguration

```yaml

qodana.yaml - Advanced setup

version: "1.0" profile: name: qodana.recommended path: .qodana/profiles/custom.xml include: - name: "Code style issues" - name: "Probable bugs" - name: "Performance" exclude: - name: "Spelling" - name: "Unused import" - path: "src/test/" - path: "/*.generated.js" projectJDK: "11" bootstrap: | set -eu echo "Installing dependencies..." npm install ./gradlew build -x test failThreshold: 0 ```_

Profil Anpassung

```xml

```_

Umweltvariablen

```bash

Common environment variables

export QODANA_TOKEN="your-token-here" export QODANA_PROJECT_ID="project-id" export QODANA_BRANCH="main" export QODANA_REVISION="HEAD"

Docker environment variables

docker run --rm -it \ -e QODANA_TOKEN=\(QODANA_TOKEN \ -e QODANA_PROJECT_ID=\)QODANA_PROJECT_ID \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-jvm ```_

CLI Befehle

Grundlegende Befehle

```bash

Initialize project

qodana init

Scan project

qodana scan

Scan with specific linter

qodana scan --linter jetbrains/qodana-jvm

Scan with custom config

qodana scan --config ./custom-qodana.yaml

Show scan results

qodana show

View help

qodana --help qodana scan --help ```_

Erweiterter CLI Verwendung

```bash

Scan with custom parameters

qodana scan \ --project-dir /path/to/project \ --results-dir /path/to/results \ --cache-dir /path/to/cache \ --linter jetbrains/qodana-jvm \ --config qodana.yaml \ --property=idea.headless.enable.statistics=false

Scan specific files/directories

qodana scan --include-paths "src/main/,lib/" qodana scan --exclude-paths "src/test/,/.generated."

Set fail threshold

qodana scan --fail-threshold 10

Generate SARIF report

qodana scan --sarif-report results.sarif

Upload results to Qodana Cloud

qodana scan --upload-result ```_

Ergebnismanagement

```bash

View results in browser

qodana show --port 8080

Export results

qodana export --format json --output results.json qodana export --format sarif --output results.sarif

Compare results between branches

qodana diff --base main --target feature-branch

Generate baseline

qodana scan --baseline qodana.sarif.json ```_

CI/CD Integration

GitHub Aktionen

```yaml

.github/workflows/qodana.yml

name: Qodana on: workflow_dispatch: pull_request: push: branches: - main

jobs: qodana: runs-on: ubuntu-latest permissions: contents: read pull-requests: write checks: write steps: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0

  - name: 'Qodana Scan'
    uses: JetBrains/qodana-action@v2023.2
    with:
      args: --fail-threshold,0
    env:
      QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

  - name: Upload SARIF file
    uses: github/codeql-action/upload-sarif@v2
    with:
      sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json

```_

GitLab CI

```yaml

.gitlab-ci.yml

qodana: stage: test image: jetbrains/qodana-jvm:latest script: - qodana --results-dir $CI_PROJECT_DIR/qodana-results artifacts: reports: codequality: qodana-results/qodana.json paths: - qodana-results/ expire_in: 1 week only: - merge_requests - main ```_

Jenkins Pipeline

```groovy pipeline { agent any

stages {
    stage('Checkout') {
        steps {
            checkout scm
        }
    }

    stage('Qodana Analysis') {
        steps {
            script {
                docker.image('jetbrains/qodana-jvm:latest').inside {
                    sh '''
                        qodana --results-dir ./qodana-results \
                               --fail-threshold 0 \
                               --sarif-report qodana.sarif
                    '''
                }
            }
        }
        post {
            always {
                publishHTML([
                    allowMissing: false,
                    alwaysLinkToLastBuild: true,
                    keepAll: true,
                    reportDir: 'qodana-results',
                    reportFiles: 'report.html',
                    reportName: 'Qodana Report'
                ])

                recordIssues(
                    enabledForFailure: true,
                    tools: [sarif(pattern: 'qodana.sarif')]
                )
            }
        }
    }
}

} ```_

Azure DevOs

```yaml

azure-pipelines.yml

trigger: - main

pool: vmImage: 'ubuntu-latest'

steps: - task: Docker@2 displayName: 'Run Qodana Analysis' inputs: command: 'run' arguments: > --rm -v $(Build.SourcesDirectory):/data/project/ -v $(Build.ArtifactStagingDirectory)/qodana-results:/data/results/ jetbrains/qodana-jvm

  • task: PublishBuildArtifacts@1 displayName: 'Publish Qodana Results' inputs: pathToPublish: '$(Build.ArtifactStagingDirectory)/qodana-results' artifactName: 'qodana-results' ```_

Qualitätstore und Schwellen

Fehlerbehebung Konfiguration

```bash

Set fail threshold (number of problems)

qodana scan --fail-threshold 10

Fail on any critical issues

qodana scan --fail-threshold 0 --severity critical

Fail on new issues only

qodana scan --baseline qodana-baseline.sarif.json --fail-threshold 0 ```_

Profil von Quality Gate

```yaml

qodana.yaml with quality gates

version: "1.0" profile: name: qodana.recommended failThreshold: 5 include: - name: "Critical" - name: "High" exclude: - name: "Low" - name: "Informational" ```_

Allgemeine Qualitätsregeln

```xml

```_

Sicherheitsanalyse

Sicherheitslückenerkennung

```bash

Enable security inspections

qodana scan --include "Security"

Focus on critical security issues

qodana scan \ --include "SQL injection" \ --include "XSS" \ --include "Path traversal" \ --include "Hardcoded credentials" ```_

Gemeinsame Sicherheitsfragen

```java // SQL Injection Detection // ❌ Vulnerable code String query = "SELECT * FROM users WHERE id = " + userId; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(query);

// ✅ Fixed code String query = "SELECT * FROM users WHERE id = ?"; PreparedStatement stmt = connection.prepareStatement(query); stmt.setString(1, userId); ResultSet rs = stmt.executeQuery();

// Hardcoded Credentials Detection // ❌ Vulnerable code String password = "admin123"; String apiKey = "sk-1234567890abcdef";

// ✅ Fixed code String password = System.getenv("DB_PASSWORD"); String apiKey = System.getenv("API_KEY"); ```_

Sicherheit Baseline

```bash

Create security baseline

qodana scan --include "Security" --baseline security-baseline.sarif.json

Check only new security issues

qodana scan --baseline security-baseline.sarif.json --include "Security" ```_

Leistungsanalyse

Leistungsprüfungen

```bash

Focus on performance issues

qodana scan --include "Performance"

Common performance issues detected:

- Inefficient string concatenation

- Resource leaks

- Unnecessary object creation

- Inefficient collections usage

- Database query optimization

```_

Beispiele für

```java // String Concatenation Performance // ❌ Inefficient String result = ""; for (String item : items) { result += item + ", "; }

// ✅ Efficient StringBuilder sb = new StringBuilder(); for (String item : items) { sb.append(item).append(", "); } String result = sb.toString();

// Resource Leak Detection // ❌ Resource leak FileInputStream fis = new FileInputStream("file.txt"); // Missing close() call

// ✅ Proper resource management try (FileInputStream fis = new FileInputStream("file.txt")) { // Use the stream } // Automatically closed ```_

Code Qualität Metrics

Komplexitätsanalyse

```bash

Analyze code complexity

qodana scan --include "Complexity"

Metrics collected:

- Cyclomatic complexity

- Cognitive complexity

- Lines of code

- Method length

- Class size

```_

Vervielfältigungserkennung

```bash

Detect code duplication

qodana scan --include "Code duplication"

Configure duplication thresholds in qodana.yaml:

version: "1.0" profile: name: qodana.recommended duplicates: minTokens: 50 minLines: 10 ```_

Technischer Schuldenstand

```javascript // Technical Debt Examples

// ❌ High technical debt function processData(data) { // TODO: Refactor this method if (data) { if (data.length > 0) { for (let i = 0; i < data.length; i++) { if (data[i].status === 'active') { // Complex nested logic if (data[i].type === 'premium') { // More nesting... } } } } } }

// ✅ Refactored code function processActiveData(data) { if (!data?.length) return;

return data
    .filter(item => item.status === 'active')
    .map(item => processItem(item));

}

function processItem(item) { return item.type === 'premium' ? processPremiumItem(item) : processStandardItem(item); } ```_

Reporting und Visualisierung

HTML Reports

```bash

Generate HTML report

qodana scan --show-report

Custom report location

qodana scan --results-dir ./custom-results qodana show --port 8080 --results-dir ./custom-results ```_

SARIF-Berichte

```bash

Generate SARIF report

qodana scan --sarif-report results.sarif

Upload to GitHub Security tab

(automatically done with GitHub Actions integration)

Convert SARIF to other formats

qodana export --format json --input results.sarif --output results.json ```_

Benutzerdefinierte Berichte Vorlagen

```html

Custom Qodana Report

Code Quality Report

```_

IDE Integration

IntelliJ IDEA Integration

```bash

Qodana plugin for IntelliJ IDEA

1. Install Qodana plugin from marketplace

2. Configure Qodana settings

3. Run analysis from IDE

4. View results in tool window

Plugin features:

- Run Qodana analysis locally

- View results in IDE

- Navigate to issues

- Configure inspection profiles

- Integration with VCS

```_

VS Code Integration

```bash

Qodana extension for VS Code

1. Install Qodana extension

2. Configure workspace settings

3. Run analysis command

4. View results in problems panel

Extension commands:

- Qodana: Scan Project

- Qodana: Show Results

- Qodana: Configure

- Qodana: Upload Results

```_

Integration der Kommandozeilen

```bash

IDE-like experience in terminal

qodana scan --ide-like

Open results in default browser

qodana show --open

Watch mode for development

qodana scan --watch --fail-threshold 0 ```_

Erweiterte Funktionen

Baseline Management

```bash

Create baseline from current state

qodana scan --baseline qodana-baseline.sarif.json

Update baseline

qodana scan --update-baseline qodana-baseline.sarif.json

Use baseline to check only new issues

qodana scan --baseline qodana-baseline.sarif.json --fail-threshold 0 ```_

Kundenspezifische Inspektionen

```kotlin // Custom inspection example class CustomInspection : LocalInspectionTool() { override fun buildVisitor(holder: ProblemsHolder, isOnTheFly: Boolean): PsiElementVisitor { return object : JavaElementVisitor() { override fun visitMethodCallExpression(expression: PsiMethodCallExpression) { super.visitMethodCallExpression(expression)

            if (isDeprecatedMethod(expression)) {
                holder.registerProblem(
                    expression,
                    "Use of deprecated method",
                    ProblemHighlightType.WARNING
                )
            }
        }
    }
}

private fun isDeprecatedMethod(expression: PsiMethodCallExpression): Boolean {
    // Custom logic to detect deprecated methods
    return false
}

} ```_

Lizenzerfüllung

```bash

License detection and compliance

qodana scan --include "License"

Configure allowed licenses

version: "1.0" profile: name: qodana.recommended licenseRules: allowed: - "MIT" - "Apache-2.0" - "BSD-3-Clause" prohibited: - "GPL-3.0" - "AGPL-3.0" ```_

Fehlerbehebung

Gemeinsame Themen

```bash

Out of memory errors

docker run --rm -it \ -m 4g \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-jvm

Permission issues

sudo chown -R \(USER:\)USER qodana-results/

Network connectivity issues

docker run --rm -it \ --network host \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-jvm ```_

Leistungsoptimierung

```bash

Optimize for large projects

qodana scan \ --cache-dir ./qodana-cache \ --exclude-paths "node_modules/,target/,build/**" \ --include "Critical,High"

Parallel processing

docker run --rm -it \ --cpus="4" \ -m 8g \ -v $(pwd):/data/project/ \ -v $(pwd)/qodana-results:/data/results/ \ jetbrains/qodana-jvm ```_

Debug Mode

```bash

Enable debug logging

qodana scan --log-level debug

Verbose output

qodana scan --verbose

Save logs

qodana scan --log-file qodana.log ```_

Best Practices

Konfigurationsmanagement

```bash

Version control qodana.yaml

- Keep configuration in repository

- Use environment-specific configs

- Document configuration changes

- Review configuration in PRs

Example structure:

.qodana/ ├── qodana.yaml # Main configuration ├── profiles/ │ ├── strict.xml # Strict quality profile │ └── relaxed.xml # Relaxed profile for legacy code ├── baselines/ │ ├── main.sarif.json # Main branch baseline │ └── legacy.sarif.json # Legacy code baseline └── scripts/ └── bootstrap.sh # Setup script ```_

CI/CD Best Practices

```bash

Gradual adoption strategy:

1. Start with baseline to avoid failing builds

2. Gradually reduce fail threshold

3. Focus on critical and high-priority issues first

4. Regular baseline updates

5. Team training and adoption

Performance considerations:

- Use caching between builds

- Exclude unnecessary files/directories

- Run on appropriate hardware

- Use incremental analysis when possible

```_

Team Adoption

```bash

Team onboarding:

1. Introduce Qodana gradually

2. Provide training on code quality

3. Set up IDE integration

4. Regular review of quality metrics

5. Celebrate improvements

Quality culture:

- Make quality metrics visible

- Regular quality reviews

- Code quality champions

- Continuous improvement mindset

```_

Ressourcen

Dokumentation

Gemeinschaft

Ausbildung