Is sonarqube the right base tool for our idea?

Our objective is to identify a specific list of high risk behaviors in source code, along with any hard coded parameters and strings used (whether obfuscated or not), when code is checked in or built. Examples of high risk behaviors include managing processes that are not children of this process, reading files not owned, or writing data to an IP address outside of the local network. Examples of strings potentially hard coded are the IP address or hostname, file name or path, process ID or name, etc.

Examples of source code languages we are interested in include Java, C, C++, Go, and scripting languages like Python and Perl.

Is sonarqube a good base for this?

Hello @socialquotient,

Happy New Year 2022 and welcome to the SonarSource community :wave: . I hope you’ll enjoy it.

It’s quite difficult to answer your question. I would have 2 reactions:

  • First I noticed that the topic is tagged with Plugin Development. Was it you who added this tag or someone else? If you, I understand your question as “Can I develop additional plugins that would fulfil my use case?”. To this question I would answer by:
    – First of all plugin develop to extend language analysis capabilities is not available for all languages. See the table at Adding Coding Rules | SonarQube Docs
    In essence, you can develop custom rules mainly for COBOL, Java, PHP, Python, RPG.
    – For other languages you can develop rules but as a completely external tool, that would generate a report with issues, injected in SonarQube. This external tool can be part of an existing extensible framework (example ESlint for JS/TS) or something completely custom developed from scratch
  • If the question is not to develop custom extensions but whether SonarQube out of the box would detect the problems you mention, my suggestion is to try it by yourself, and preferably with a commercial edition that can detect much more of these risky patterns your mention. You can request a free 2 weeks evaluation license at Developer Edition | SonarSource. The developer edition is probably what you want to try.
    As a first level of answer I would say that:
    – Yes there are some of the examples you mention that would probably be detected, and
    – Probably No, some other cases would not be detected out of the box (ie without custom development)

Olivier