Hi all,
Thank you to everyone who attended our first exclusive Customer webinar session. Below you can find the questions and answers from the webinar.
SonarLint questions
Q: Does SonarLint support Secrets Detection?
A: Yes — SonarLint supports Secrets Detection (it was actually supported by SonarLint before SonarQube)
Q: Do you benchmark SonarLint and other copilot solutions?
A: We have an article that talks about Clean Code in the Age of Generative AI. You can find out more here: AI Generated Code in Software Development & Coding Assistant
And checkout this demo! https://www.youtube.com/watch?v=qkyD7-Y6AYs
Q: Is SonarLint available for Xcode?
A: Feel free to vote for this item on our roadmap! https://portal.productboard.com/sonarsource/4-sonarlint/c/465-support-xcode-ide?utm_medium=social&utm_source=portal_share
Q: We have a single SonarQube instance but over 100 of different git repos / Visual Studio solutions. Can connected mode be configured globally for the dev machine instead of individually for every solution.
A: It cannot. It’s on a project-per-project basis. That said, we’re currently working on improving this experience and making connected mode setup more streamlined.
Q: Does SonarLint now support C# in VSCode?
A: Yes! More information can be found in this announcement. https://community.sonarsource.com/t/sonarlint-for-vs-code-4-0-support-c-analysis-open-sonarqube-issues-in-the-ide/103641
Q: Could you please share information on how to set up connected mode?
A: Our docs should walk you through this for all our supported IDEs: SonarLint connected mode
Deeper SAST questions
Q: How does SAST work with compiled Java Libraries?
A: It works with well-known, public libraries. For home-grown libraries, Enterprise Edition gives you the ability to configure your sources, sinks &etc. manually.
Q: What SonarQube editions, and versions is Deeper SAST available in?
A: Deeper SAST is available in commercial editions of SonarQube 9.9 LTA and higher. That said, the functionality gets better in each new version, so if this is an area of particular interest for you, you probably want to make sure you’re on the latest version, which is currently 10.4 (10.5 is imminent, though).
Q: Is Deeper SAST available on SonarCloud?
A: Yes
Q: Does using Deeper SAST analysis use up the Lines of Code in my license faster?
A: No. No matter how many different kinds of checks we run against your code, whether that’s “normal” rules, advanced bug detection, SAST, Deeper SAST, secrets detection and so on, each line of code is only counted once.
Q: Does Deeper SAST also validate if a vulnerable function (published CVE) in the dependency is being called in our application developed code? Are there plans to analyse and list dependencies of the projects? A test against the NVD would also be helpful.
A: No — this is in the relam of SCA, which is not a use-case SonarQube covers today.
Q: Deeper SAST kinda works like NexusIQ?
A: We are focused on how the data flows through those dependencies in the context of the code that developers are writing. This is a different approach than SCA tool which (for example) are looking for versions of dependencies that have a vulnerability. Non-vulnerable packages can still be used in a way that exposes an application to risk.
Q: Do we need to enable Deeper SAST, or is it automatic?
A: Just make sure all the security rules are enabled, and you’re good.
Q: How can I learn more about Deeper SAST?
A: Learn more in this blog post! Uncovering hidden security vulnerabilities with deeper SAST
Secrets Detection questions
Q: Will secrets detection in SonarLint only scan the current head, or will it also go into e.g. the git history?
A: SonarLint always works on the file you have open, so if you’re working in main that’s what it scans.
Q: How do I enable secrets detection?
A: Make sure the rules are enabled in your Secrets “language” profile, and all files will automatically be analyzed for secrets patterns.
Q: Is the secret scanning feature also capable of high entropy scanning, or only pattern based?
A: It’s pattern-based.
Q: Is it possible to filter out results only for secrets? I don’t see such category under Security category → SonarSource
A: If you’re trying to filter the Issues page for secrets-related issues, then open the Language filter and choose “Secrets”.
Q: How to I make sure files are scanned for secrets in my IDE?
A: SonarLint supports Secret Detection in the IDE. Make sure you’re using the latest version of the extension for your IDE.
Languages questions
Q: Any plans to support Groovy?
A: We don’t support Groovy and there’s no current timeline, but there is a community-supported plugin (GitHub - Inform-Software/sonar-groovy: SonarQube plugin for Groovy) that takes advantage of SonarQube’s APIs and extensibility.
Q: Will you support Elixir?
A: Nothing on the list at this point.
You may find some luck with the community-supported Erlang plugin. https://github.com/evolution-gaming/sonar-erlang
Q: Is there any support for Rust?
A: Not today. You can vote for this roadmap item here: https://portal.productboard.com/sonarsource/3-sonarqube/c/285-rust-support?utm_medium=social&utm_source=portal_share
Q: When will Sonar support Dart code?
A: We want to. It’s still on the list. Unfortunately, we can’t give you a timeline at this point.
Q: Is support for Powershell on the radar?
A: There is no native support. Plugins exist in the wild to add support, but we haven’t tested them. Here’s one: GitHub - gretard/sonar-ps-plugin: Powershell language plugin for SonarQube
Q: Any plans to generate SBOM - Software Bill of Material for Open-Source Software Packages or CBOM (Cryptography BOM)?
A: No current plans.
Q: Are custom rules for JavaScript or Typescript supported? For other languages? What about secrets detection?
A: For JavaScript/Typescript, you can write your own custom rules using ESLint and import them as third-party issues (Importing third-party issues)
For other languages, take a look at the docs here: https://docs.sonarsource.com/sonarqube/latest/extension-guide/adding-coding-rules/.
And for secrets detection, Enterprise Edition allows you to define custom patterns (Secrets)
Q: Is Java 21 supported in the current 10.4 or planned for 10.5+?
A: It will be supported in SonarQube 10.5. Look for it in mid-April.
General products questions
Q: When is the next SQ LTS release planned?
A: Long-term active versions are released on an approximately 18-month cycle. Theoretically, that puts the next LTA in the summer of this year, but it’s likely to take us a little longer to fulfill all our ambitions for the next one.
Q: When is the SonarQube 10.5 release planned?
A: Look for SonarQube 10.5 in mid-April.
Q: Are you planning to provide an official Terraform provider to aid with using configuration as code for SonarQube, e.g. configuration of groups, permissions, quality gates, and profiles by means of Terraform via a provider.
A: We don’t currently have plans for that. These things are stored in the database, so there’s no real need to set up a way to configure them over and over. It’s one-and-done.
Q: Any Atlassian integrations coming or enabled already in 10.x?
A: SonarQube natively integrates with Bitbucket Cloud and Server. These integrations largely haven’t changed since the 9.x series, where they were last enhanced for 9.9 LTS.
Q: Does SonarQube support Atlassian Jira DC and Jira Cloud to automate creation of a Jira issue for a SonarQube issue
A: We do not. We supported this in the early days of SonarQube and learned from experience that automatic ticket creation for each issue is not a good idea.
Q: Do you plan to support the Quality profile and gates definition at the project level in the future rather than at the organization level.
A: We really encourage users to try and set quality standards that are broadly applicable across an organization. That being said — permissions for individual quality profiles and gates can be delegated to individuals and applied to projects they administrate.
Q: Does Data Center Edition include in everything you show for Enterprise Edition?
A: Yes! All that plus high availability!
Q: Is GitHub integration only for GitHub Cloud or also available for GitHub Enterprise
A: SonarQube integrates with GitHub Enterprise and GitHub.com (self-hosted or SaaS)
Q: How easy and smooth (or otherwise) would it be to migrate your code repositories from GitLab Server to Bitbucket Cloud while keeping historic results etc on the Developer License?
A: With SonarQube — very easy. Once you set up the Bitbucket Cloud integration in your global administration, you can switch individual project’s bindings in the project settings or explore our Web API to automate this.
Q: I have a repo that’s 95% C++ and ~%5 Python. Do those two languages need to be separate scans? Or could they be combined into a single build-wrapper scan?
A: You can absolutely analyze all your code at once. Just make sure that the sonar.sources paths include all of it.
Q: Anything new coming for LTS 9.9?
A: LTSs only get security and bug fixes, no new features.
Q: Any plans to sync user access to SonarQube projects based on user permissions on Gitlab project?
A: We’re working on it now! Look for news on this in the 10.5 and later announcements.
