Is SonarCloud (or any of your products) recognized for IEC 61508

IEC 61508 is a “functional safety” standard that specifies some general guidelines for development of software used in safety-related systems. One of its recommendations is that software tools used in the development of safety-critical software should be certified. Does SonarCloud satisfy this? (Where can I find information about its compliance / certification? I see there are some pages that talk about ISO/IEC 27001 compliance, but I think that is not the same.)

If I understand right, checking for MISRA compliance might be sufficient, and it looks like SonarCloud supports this (e.g., Assess if my C code is compliant with MISRA C 2023 standard), but it would be helpful to see some explicit qualifications, e.g., like LDRA shows here.

See also:

Hi,

That ProductBoard card you found is not a declaration that we provide an assessment of whether your C code is compliant with MISRA C 2023. It’s an effort to measure the level of interest in providing the feature.

We’re chipping away at MISRA 2023, but we don’t have it fully covered yet. We offer many valuable rules, but I would not count SonarCloud analysis as “certification”.

 
Ann

Thank you for clarifying that MISRA C compliance checking is still in early/planning stages. I have been evaluating a number of static analysis products and most of the ones that are certified are either prohibitively expensive or have very poor UX. If I were shopping merely for what I think would be most helpful to my development team I think I would lean toward your product (rich integration, clear explanation of issues, etc.), but if I need to pick a tool that has particular certification(s) for functional safety to meet our customers’ requirements then I may have to go with something else. Can you share whether or not there has been interest expressed by your customers for IEC 61508 or similar certification or if there are plans to get more certifications for SonarCloud/Qube?

Hi,

I’m not aware of this, but I’ve flagged the thread for the relevant PM, so I expect (hope :crossed_fingers:) him to weigh in, especially with the IEC 61508 question.

Thanks for the kind words. :heart_eyes:

And I think it’s worth pointing out that we have an import format that would allow you to pull other tools’ reports into our good UX. :smiley:

 
Ann

And I think it’s worth pointing out that we have an import format that would allow you to pull other tools’ reports into our good UX. :smiley:

Can that use SARIF (Static Analysis Results Interchange Format)?
It doesn’t look it like, but at least there appears to be a request for this that is under consideration.

Hi,

We’ve implemented SARIF import for SonarQube, but we haven’t gotten there yet on SonarCloud. You’re right, though, that it’s on the list. I hope you voted/commented on that portal card you linked. :wink:

 
Ann

Hi @jacobq

We strive to help developers with Clean Code. Its intersection with various standards is a place where we tend to help.
In general, SonarQube and SonarCloud do not aim to be strict compliance tools. It explains that we have no plan so far to be an IEC 61508-certified tool.

I still take note of your interest.

Cheers.

Hey @jacobq

Just an update, we now support importing SARIF reports in SonarCloud.