Add Rust language support

elegoff · June 16, 2021, 6:41am

Sonar Rust plugin v 0.0.4 is out.
It allows importing Clippy Lints as well as some cargo tarpaulin coverage reports
See : GitHub - elegoff/sonar-rust: SonarQube plugin to analyze Rust files

Feedback is welcomed

joncatlin · October 7, 2021, 7:17pm

Upvoted this. My company is moving over to Rust and would see the support for this language as a must for Sonarqube. There are large parts of the IT industry adopting Rust (AWS, Microsoft) to name but a few. I would think this is a priority for Sonarsource. We are moving away from more traditional languages such as C# & Java to more functionally orientated language, for a large number of reasons.

woshilapin · November 17, 2021, 10:37pm

Just to let you know, I’ve also published a tool to help publishing reports to sonarcloud.io from a Rust project by doing the transformation on the client side.

See the thread.

doc-E-brown · September 19, 2022, 7:59am

An upvote from me. Rust is our primary language and Rust support would be very helpful!

dkoch · September 23, 2022, 4:01pm

Another upvote and see the need for Rust support from these articles.

elegoff · September 23, 2022, 4:17pm

Are you using SonarQube or SonarCloud ? If using SonarQube , and until the Rust language is officially supported, I’d be happy to get feedback on the community plugin I am maintaining at GitHub - elegoff/sonar-rust: SonarQube plugin to analyze Rust files
( If you are facing issue , or need more features ,please use the Github issue rather than this forum)

dkoch · September 24, 2022, 6:37pm

Currently SonarQube is used to validate applications on a DoD cloud solution which I want to host a Rust based application on and I’m going to have to reimplement because they can’t scan it. They also use Fortify, which also doesn’t support Rust.

UkonnRa · October 1, 2022, 6:08am

We are using SonarCloud, hope Rust on SonarCloud as well!!!

T_F · March 6, 2023, 9:33am

Sonarqube Team. What is the status of rsut support?

More need: NSA Releases Guidance on How to Protect Against Software Memory Safety Issues > National Security Agency/Central Security Service > Article

orriborri · April 4, 2023, 6:21pm

Hi!
Is there any news on this? For me, it would be enough to import an unsupported language test coverage report.

Alexandre_Gigleux · April 20, 2023, 1:10pm

Nothing has been decided yet but if we decide to support a new language in 2023, Rust is definitely a good candidate (along with Dart/Flutter BTW).

jayvdb · May 1, 2023, 4:19am

Would SonarCloud be utilising this plugin? GitHub - elegoff/sonar-rust: SonarQube plugin to analyze Rust files

If so, is there anything that the community can be doing to make that plugin more likely to be integrated by SonarCloud?

Alexandre_Gigleux · May 1, 2023, 9:47am

Only SonarSource-made analyzers run on SonarCloud. We want to be in full control of what is running on SonarCloud side. There is no chance to see this SonarQube Rust Plugin being integrated into SonarCloud.

If you want to help to see Rust being supported by SonarCloud here is what we need:

a list of 30+ rules that are really valuable for Rust developers and that are considered a must-have
the name of the most famous coverage tool dedicated to Rust
the name of the most commonly used 3rd party linters in the Rust ecosystem

jayvdb · June 17, 2023, 9:43pm

SonarCloud can fork GitHub - elegoff/sonar-rust: SonarQube plugin to analyze Rust files to be in 100% control of what is running on SonarCloud.

There are no “3rd party” linters for Rust language. Clippy and rustfmt are part of the Rust language project, and so far nobody has bothered or managed to create alternatives. Very likely because rustfmt is reasonably configurable, and clippy is extensible, so there is little motivation to create alternatives. Another reason is those tools have good roadmaps and community processes for future changes, so Rust developers would rather contribute to those project, instead of trying to fork or create their own tool from scratch.

The one exception to the above, there are some formatters/ linters for “Cargo.toml” files. e.g. GitHub - tbrand/cargo-tomlfmt: Formatting Cargo.toml and GitHub - FuelLabs/cargo-toml-lint: A linter for Cargo.toml files

Again, it is part of the Rust compiler.

There are two mechanism described at Instrumentation-based Code Coverage - The rustc book . The “source-based code coverage implementation” is the better implementation.

GitHub - mozilla/grcov: Rust tool to collect and aggregate code coverage data for multiple source files is a commonly used wrapper to collate the coverage data.

GitHub - actions-rs/grcov: 📈 GitHub Action for code coverage reporting with grcov is the github action which is commonly used.

jayvdb · June 17, 2023, 11:09pm

c.f. previous comment on this thread about clippy, and its JSON output.

There is also a tool to convert clippy to SARIF at:

woshilapin · June 20, 2023, 7:35am

Just to mention, I’ve made a tool to convert a few of Rust tooling output into Sonar generic input with the project cargo-sonar.

Basically, you run rust tooling somewhere, then convert the output with cargo-sonar, then feed it to sonar-scanner.

I’ve been working with it for a few months on some projects already, and it’s already useful enough (mainly the clippy parser). It’s not perfect though, as there are at least 2 main problems with it:

I don’t have experience to categorize correctly an issue into the semantic used in Sonar (is it critical or not for example), so any scoring between A and E that might be given by the result of using cargo-sonar is likely incoherent with any other Sonar approved tool
some of the supported tools are frequently changing their API, which makes cargo-sonar works relatively well on an up-to-date version of all tools, but maybe not so much on older versions