JarCastingsonar-devon4j-plugin
Plugin for SonarQube to validate devon4j architecture.
Motivation
With devon4j you can build business applications very efficiently following elaborated guidelines and best practices. This includes a profound architecture blueprint that is mapped to the code via clear packaging conventions.
This sonar-devon4j-plugin provides a plugin extending SonarQube with the ability to validate your Java code according to the devon4j architecture.
Installation
If you have SonarQube installed, you only need to go to its marketplace and install the latest version of this sonar-devon4j-plugin. Further you need to import the devonfw quality profiles (or activate all the rules of this plugin in your quality profile). For further details read the SonarQube setup guide.
Configuration
In your project add a file called architecture.json to the toplevel directory of your project and configure your components and their dependencies. You should commit this file to your version control system (e.g. git). The following example shows an architecture definition for the my-thai-star sample application:
{
"architecture": {
"components": [
{"name":"bookingmanagement","dependencies":["ordermanagement","usermanagement","mailservice"]},
{"name":"dishmanagement","dependencies":["imagemanagement"]},
{"name":"imagemanagement","dependencies":[]},
{"name":"ordermanagement","dependencies":["dishmanagement"]},
{"name":"usermanagement","dependencies":[]},
{"name":"mailservice","dependencies":[]}
]
}
}As you can see all you need to do is declare the components of your application with their allowed dependencies. In case you need dependencies to other devonfw apps (microservices) you can also add them as dependencies with qualified packages (e.g. com.devonfw.sampleapp.samplecomponent). As the technical architecture is standardized by a blueprint in devonfw, you do not need any further configuration and everything can already be validated out of the box.
Architecture Rules
The following image illustrates the devonfw architecture rules. The arrows show the allowed dependencies in green, discouraged dependencies in orange and forbidden dependencies in red. 
Within the same component you are always allowed to call code from the same layer and scope as well as the API from the next layer below. Discouraged and forbidden dependencies are always implemented by its own SonarQube rule. This gives you absolute flexibility to customize the severity of such architecture violation. These dependencies have a white circle with a unique label. For each label we link the according rule to give you transparency and help you customizing.
Layer Rules
Component Rules
The following component rules will rely on the architecture.json configuration described above.
Scope Rules
Further there are additional rules to check the scope: 
Package Rules
Additionally, there is a generic rule that checks the devonfw packaging conventions:
3rd Party Rules
Finally, there are rules checking the proper usage of third-party library code:
Naming Convention Rules
With our 3.2.0 release, we added rules checking for adherence to our naming convention rules:
Security Rules
As of version 3.2.1, we have started adding security-related rules to our plugin:
devonfw Java Quality Profile
This plugin comes with a quality profile containing not only the previously described rules, but also rules from other plugins that are vital to ensure optimal code quality. You can download these plugins directly onto your SonarQube instance via its marketplace or install them manually. For more information on the installation of plugins, see here. If you have this devon4j plugin installed, you should make sure to install the following plugins, so that the quality profile can be properly initialized at startup:
You can either associate this profile with certain projects or set it as default to make it active for every project. If you want to make changes to the profile, just create a copy of it. You will then be able to make your adjustments, like including or excluding rules, to that copy.
For further information on quality profiles and their setup, please follow the SonarQube documentation on Quality Profiles.
