Adding custom Go/Slang Rules

There’s an excellent tutorial on adding custom rules for Java here https://github.com/SonarSource/sonar-java/blob/5.14.0.18788/docs/CUSTOM_RULES_101.md, along with plugin templates at https://github.com/SonarSource/sonar-custom-rules-examples

I’d like to add some custom rules for Go, to supplant some other code analyzers I currently use and have everything integrated in SonarQube. I currently use the linter import feature for this, but that’s not nearly as good as having them as integrated rules (I can’t set priority and assign issued and add help text and so on if they just come from a linter import.)

The rules I want to add are fairly simple – they’re basically regex checks, so I can write them using the code for, e.g., slang/checks/HardcodedCredentialsCheck.java as a template.

However, since Go is now part of the Slang framework, I’m having trouble figuring out what all I need to do to get the check to actually run, but only for Go code. I’m amenable to either forking the slang plugin or writing my own separate plugin, but I can’t seem to locate any documentation equivalent to the “Registering the rule in the custom plugin” section of the Java documentation to make it run.

Is there any sample code or instructions on how to add a rule to the current slang-based sonar-go?

Hello, welcome to the community!

Custom rules for Go (and all slang based languages) is not yet supported. We take good note of your interest and will be eager to consider it if there is a popular interest.

Concerning the rules you want to implement, do you think they may benefits to others? If yes, you should definitely consider proposing them directly.

I’m amenable to either forking the slang plugin […]

:warning: I have to warn you should think twice before starting in this direction. Slang is still in his early age, path the plugin (and even the whole Sonar ecosystem) may take in the future could give you a hard time, and troubleshooting such kind of issue is hard.

Now that you are correctly warned, if you just want to play with it…
Despite the fact that Slang is initially designed for language agnostic rules, you could add a new one (based on Slang, therefore not using any language specific node) with proper metadata, and add it to the GoCheckList. At first glance, it’s already enough to naively have a first rule running.

I hope this clarifies the situation.

Best,
Quentin

Hey, We have a similar requirement to add a custom rule to Go Scanner. Is this feature available?

1 Like

Hello,

This is not possible to write custom rules for Go. However, the Go analyzer provided by SonarSource is open-source, you can contribute to it => GitHub - SonarSource/slang
If you don’t feel comfortable to do that then the best option is to detail (in a dedicated thread) what you want to detect and maybe we will write the rule(s) for you.

Regards
Alex

I also have the need to customize the rules, is it possible to support the vulnerability plugin in gosec or gokart?

Hello @jooeji,

You can import the results from gosec using the formatter “sonarqube” and then using the property sonar.externalIssuesReportPaths referencing the path to the output of gosec.

Alex

yeah, emm.But I don’t think that is support for custom rule facilitation.@Alexandre_Gigleux

I probably misunderstood something in your reply where you were talking about two things:

  • vote on this thread to have a way to customize rules
  • ask for the support for gosec and gokart

My reply was for the second part.

If your need is to get more security rules out of the box in SonarQube for Go, this is tracked here.