Go vulnerability rules in sonarcloud very limited

I have been looking around sonarcloud but cannot find a way to bring in custom rules.

To that note, there is only 1 vulnerability rule for GO codebases. This is pretty poor and becoming increasingly more important for our projects. We may need to go with a different option if this cannot be supported.

Any pointers into how I can make more rules/get more rules for GOLang please share.

1 Like

Hello Donovan,
welcome to the community !

Unfortunately we will not release new security rules for Go in the short term because other languages / topics have higher priority. But SonarQube/SonarCloud is able to gather issues from external tools such as golangci-lint (which can itself enable gosec tool).

Eric

Thank you for the reply.

Understood on the priority. Its a shame as our engineering team use a few different languages. I was hoping to keep all the static analysis in one tool.

Right now the teams are using their own analysis tools with CircleCI so the value in moving that into sonarcloud is not great vs the effort etc to implement.

I think a move to project scans and using CircleCI to report this is probably my better option than continuing with our SonarCloud subscription.

Actually. A better question. Why are we not able to add custom rules in our org/projects? This way we could self manage this.

Another example is that the PHP scanner is not catching things potential SQL injection flaws etc.

Hello,

The SonarSource’s Go analyzer is open-source so you are free to raise PRs to add extra rules. Once merged, they will benefit to all.
Also I’m not getting why you want to write custom rules while the results of the entire Go linters eco-system can be imported into SonarCloud. If one rule is missing and you want to write it, you can. Select one of the Go linter with a nice rule API, develop the missing rule and import the results into SonarCloud.

For PHP and the fact that in some cases SonarCloud is not raising the expected issue, I suggest to create a dedicated discussion here (flag it please with “false-negative”, “security”, “sqli”) and provide sample code, any other details so we understand the context and can investigate.

Thanks!
Alex

1 Like

One of the benefits to using sonarcloud is that it is one tool to handle many solutions. If I am having to maintain several other tools etc then the benefit is far less.

Also I’m not getting why you want to write custom rules while the results of the entire Go linters eco-system can be imported into SonarCloud.

The SonarSource’s Go analyzer is open-source so you are free to raise PRs to add extra rules. Once merged, they will benefit to all.

I will look into it, digging in the repo for contribution guidelines etc with the team.

So they whole slang library is used by SonarCloud?

TY, Yes I will. Need to sanitise etc first. :slight_smile:

Created the bug topic here