APEX Code Coverage and Security Report

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube Enterprise)

Hi,

I was tasked with evaluating SonarQube for an Apex SAST project. After reviewing the documentation on generating reports, I came across this link for report prerequisites:
Test Coverage & Execution | SonarQube Docs

However, it is unclear to me where the Salesforce DX project needs to be located. Does the client need to create a Salesforce DX project in their environment? Is the requirement for an existing SonarQube project for Salesforce DX? What is meant by “Org” in this context?

Additionally, is this required to generate a security report or only code coverage?

Thanks in advance.

Hello @aworm
thanks for reaching out. If you are running an evaluation of one of the commercial editions of SonarQube, you should be able to raise any questions to your SonarSource sales representative.

However, it is unclear to me where the Salesforce DX project needs to be located. Does the client need to create a Salesforce DX project in their environment? Is the requirement for an existing SonarQube project for Salesforce DX? What is meant by “Org” in this context?

SonarQube only requires that a test report file be present at the time of analysis. The rest is a 100% Saleforce topic; Salesforce developers will know what is meant by a Salesforce DX project and an Org link in its context. I suggest that you ask them about it.

Additionally, is this required to generate a security report or only code coverage?

For coverage, only a code coverage report is needed. I have no particular knowledge about these “security reports”, but if an external tool is able to generate any report about the APEX code, its findings may get imported to SonarQube: Importing Third-Party Issues | SonarQube Docs

Best regards
Sylvain