How often are builtin rules updated in SQ

Must-share information (formatted with Markdown):

  • SonarQube LTS
  • find out how actual the rules are
  • Searched the docs and the internet :slight_smile:

Hi there,

our security department tries to setup a new policy about code quality and therefore they’re also considering SonarQube within that task. One question which came up is, how often are rules updated for i.e. Java. It’s builtin, means that you may only get an updated ruleset only by upgrading the whole software itself (one thing I miss from previous versions where you were able to update the plugin itself).
However, I wasn’t able to find any information on how close the rules and their tags are in the database compared to the list from OWASP & Co. Does anyone have such information maybe? I also ask myself if rules are more actual when using a paid version, i.e. Enterprise edition. Is this the case or not?

Regards, Thomas

Hi Thomas,

I am not sure I understand what you mean by “how close the rules” are. Can you elaborate?

In regards to your last question, the paid versions and the free version use the same rules (the paid versions just have some additional rules).

Maybe our Jira helps? There you can see what rules we are working on and when: SonarJava - Issues - Jira

With “how close are the rules” I meant the accuracy of the rules according their specification in their source, i.e. OWASP. They’re chaing the top10, etc. from time to time and thus the rules in SonarQube may have to be updated as well.
Short: OWASP updates their top 10 - when are rules updates in SonarQube?

I hope that I explained a bit better than before. Regards, Thomas

OWASP Top 10 is pretty generic, it does not contain any specifics. If a new OWASP Top 10 version is released every few years, we try to map our rules to the new version as well, but this (usually) does not influence how they are implemented.

Ok, that’s fair. But the rules implemented in SonarQube are updated only, when upgrading the software itself, isn’t it? Or is there a mechanism I do not know? In previous versions <8.x the rules where in separate plugins, which could be individually updated, wasn’t it?

Regards, Thomas

Yes, that is correct. To get newer analyzer plugins and rules you will have to update SonarQube. This change was introduced about 3 years ago.