Hey SonarQube and SonarCloud users! You now have a tool to own Code Security!
SonarSource has been hard at work for the last year to give you the tooling to review and improve your code security. We’re glad to say that today you have at your fingertips unmatched precision and performance in SAST (Static Application Security Testing) analysis for five languages and counting.
Firstly, what, if anything, is needed to make use of this?
The post mentions just ensure your Quality Profile is up to date.
Using SonarCloud, our Quality Profiles are all set to use “Sonar Way (Built-In)”, but looking at the PHP Quality Profile, it should be updated automatically (“This quality profile is provided by SonarCloud. It will automatically be updated”), but last updated is 4 months ago.
Secondly, what are the real differences with this latest update, because Security Hotspots and Injection Vulnerabilities have been present in SonarCloud for the whole time I’ve been using it (many months…)
Maybe I’m missing something but I don’t see anything different…
It would be great if you could provide a Webinar or something similar that explains the new feature in depth. We will also need some kind of comparison with other SAST tools to see if this is good enough to replace other solutions we have in place.
Please update the blogpost to say in which versions of the products this is released. I don’t see that on the release page: https://www.sonarqube.org/whats-new/ and it should be mentioned in both places for transparency
You’ll always get the best stuff in the latest version. TBH, we’ve been adding bits and pieces since the RIPS acquisition, but for the best experience you should always stick to the latest version - we add new rules and improve old ones with each release.
Perfect! You should be good to go! Not every built-in profile is updated every month. We have a lot of developers, but we also cover a lot of languages, and so there’s some rotation. Just keep up with Sonar way and you’ll stay current.
Since this is a YMMV-kind of assessment - and since we get better with each release! - we don’t publish this kind of comparison. (And no, I don’t have a private copy I can share off-line. ) What I urge you to do is request a free trial and test it out on your own code.
Over the last couple years, a number of companies ran their own comparisons & found the results good enough to make the switch even before the RIPS acquisition & integration.
As I mentioned earlier, we’ve been iterating on this for a while, and small iterations get released to SonarCloud very quickly. So if you were already paying attention and staying current then you may not notice anything different. But cumulatively we’ve done a lot of work in this area in 2020 and we decided to make a big splash now because we finally felt ready to “put a bow on it”.
That’s a great idea. I’ll take it back to the team!