We weren’t able to get to all of questions that came in during the webinar, so as a follow up, we’re answering some of the remaining questions here:
Covered Programming Languages
For what languages is Code Security available today? What’s planned?
Security Vulnerability rules are available today in C#, Java, PHP, and Python. Later this year we expect to add JavaScript, TypeScript, C and C++
Security Hotspot rules are available today in C#, Java, PHP, VB.NET, JavaScript and Python. Later this year we expect to add TypeScript, C, and C++.
See https://www.sonarqube.org/features/security/ for the most up-to-date information.
What is the overall language coverage of SonarQube?
We cover 27 languages across SonarQube’s four editions. You can see the complete list here:
https://www.sonarqube.org/features/multi-languages/
We’re already using another product. Is your offering mature enough to replace it?
We feel our results are good, with a broad array of rules, few False Positives, and good performance. Additionally, we offer a very good user experience, including a dedicated Security Hotspot review interface, plus proven SDLC integration.
The feedback we’ve received from new customers who switched from other products indicates that we are mature enough in Java, C#, and PHP. But don’t take our word for it. Request a 14-day trial license for Developer Edition (or Enterprise Edition if you need reporting) and see for yourself.
Code Security rules
Is it possible to identify CSRF or XSS vulnerabilities?
We have CSRF-related rules for most of the Code Security languages, and SonarQube 8.2 added XSS detection in Java and XXE detection in C#.
In which Editions are Security Hotspots available?
Security Hotspots are available in all editions, including Community Edition, which is free and open-source. These rules are available in versions starting with SonarQube v7.9, although we recommend you use the latest SonarQube version for the continuously improved rule set and user interface.
Who should perform Security Hotspot review?
We believe developers should be the ones to review Security Hotspots. We believe the responsibility for Code Security belongs primarily with them, and we give them guidance and documentation to understand and evaluate Security Hotspots on their own. With this guidance, they should only need to call in experts for complex cases.
Why do we think developers should own this? The more we can make developers sensitive to the fact that this or that API is security-sensitive, the safer the code will be in the end.
Which SonarQube version provides these security checks?
Code Security is available starting from the 7.9 LTS, although we recommend you use the latest version to get the benefit of the newest rules and user experience improvements.
Does Taint Analysis add much time to analysis?
Adding Taint Analysis does increase the CI-side duration some, but so far so good. The first rounds of feedback have been very positive, and we are continuously improving the performance of this engine. We see it as a mandate to stay true to our developer-focused approach, which means giving timely code security feedback as part of the code review process.
What about false positives?
We work hard to make sure we don’t raise False Positive issues from the Security Vulnerability rules, and are continuously interacting with our community to capture feedback and make improvements based on it. For Security Hotspots, by definition False Positives aren’t possible because a Security Hotspot is raised on a piece of security-sensitive code. It’s up to you to review those Security Hotspots and either mark them safe or make code changes based on the guidance we provide.
Am I right that Community Edition has a limited number of vulnerabilities?
We provide a lot of Security Vulnerability and Security Hotspot rules with SonarQube Community Edition (CE). With the Developer Edition and above, you also have access to the Taint Analysis/Injection rules on top of what is provided with CE.
Integration
Can these Code Security Features integrate with my GitHub, Bitbucket, GitLab, Azure DevOps environment?
Sure. SonarQube Developer Edition provides feedback directly in these ALM, thanks to Pull Request decoration. More here.
How about IDE integration?
SonarLint brings static analysis, including all the Vulnerability rules included in Community Edition, to the four main IDEs. Unfortunately, it does not yet include taint analysis/injection rules or Security Hotspots at this time.
How can I try this all out?
To get started with Security Hotspots and Vulnerabilities, you can download SonarQube Community Edition for free.
If you’re interested in Taint Analysis/Injection rules, and want to see these issues raised directly in your PRs in the four major ALMs (GitHub, GitLab, BitBucket, and Azure DevOps) your can request a 14-day trial license for Developer Edition
Need all that plus Security Reports? Enterprise Edition is what you’re looking for. Request a 14-day trial license here.
Where can I ask more questions?
If you have general questions about product features, join us in the SonarSource community. We’ll be glad to see you!
For questions about commercial editions, including pricing or trial licenses, try one of these:
For other commercial questions, contact us here.