Is that possible to use pylint with SonarQube

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  • what are you trying to achieve:

Currently I am running firstly pylint and then SonarQube while analyzing our code.

  • what have you tried so far to achieve this: is there a way we can configure pylint inside SonarQube?

As both are static code analyzer, just wondering what what could be the main difference between pylint and SonarQube in case of a python project?

Hi @aqm,

Yes it is possible to use Pylint with SonarQube. The recommended way to do so is to run pylint yourself and then import its report in SonarQube by setting sonar.python.pylint.reportPath in your sonar-project.properties file. You can see how to do so in the documentation. Note that we will soon change the way we import pylint issues. When you want to disable pylint issues you should do it in your code as pylint’s documentation suggests. Disabling pylint issues in SonarQube will soon be removed. We do this to make the integration smoother and enable issues coming from pylint’s plugins.

As you said, Pylint and SonarQube python analyzer both perform static analysis of your code. Making a full list of differences would be quite long but here are a few differences:

  • SonarQube’s python analyzer detects security vulnerabilities, including injection vulnerabilities. See for example our last release announcement.
  • Pylint and SonarQube’s python analyzer provide different rules. Not every rule in Sonarqube exists in Pylint and vice versa. We currently improve Sonarqube’s analyzer a lot, so you will see many additional rules arriving soon. If you want Sonarqube to detect a specific bug, code smell or vulnerability and you don’t see it in our list of rules, don’t hesitate to ask for it on this forum in the section Suggest New Features => New rules.
  • False Positives and False Negatives rates are different between linters. Rather than giving specific examples which would be to the advantage of one tool or the other, I invite you to analyze your code and see for yourself the result. I can only say that we strive to have as little False Positives and False Negatives as possible. If you see a False Positive you can create a topic on this forum in the section Report a Bug => False Positive. We’ll do our best to fix it rapidly.

Note also that SonarQube is more than the sum of its analyzers. You can define a quality gate, analyze pull requests, handle separately your pre-existing technical debt and new issues, etc… SonarQube’s python analyzer is also able to import issues from other tools such as bandit and soon flake8 (this is already possible on SonarCloud). Our goal is to integrate in your existing workflow and provide the best experience out of the box.

Does this answer your questions?

Nicolas

1 Like

ok, cause I run separately the Pylint and then enable Pylint rules in my quality profile on sonarqube but didn’t provide me same result that I get on pylint.

so for now do you recommend to use sonarqube and pylint separately?

but also just wondering did I correctly enable the pylint rules on sonarqube or not;

Steps :

  1. I went to Quality ProfileS
  2. create new profile (as you can’t edit built-in profiles, set “Sonar Way” as its parent
  3. open this profile, press “Activate more”, you will see list of inactive rules
  4. on the facet on the left pick ‘Repository’ -> ‘Pylint’
  5. you will see all available Pylint rules, press ‘bulk change’ to activate all of them

This is what I have done. then I run my sonar scanner comandline, FYI i dont use “sonar.python.pylint.reportPath”; meaning instead of using it on your sonar-project.properties file, I am sure that I can use it as Dsonar.python.pylint.reportPath. But which path I should use? if it’s form" ```
pylint <module_or_package> -r n --msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}" > <report_file>

then where should I run it?

Can you explained it a little bit?

Thanks we will wait for your reply.