Lesser rules available in SonarQube version

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube SonarScanner
  • what are you trying to achieve
    I tried to run a PHP scan on my code, specifically to look for security warning / hotspots. The analysis run in SonarQube is good and I able to view some warnings in SonarQube.
    However, I also tried our SonarCloud at the same time. Using the same code, it seems like SonarCloud are able to report more warning using some extra rules.
    For example, please take a look at images below, the one from SonarCloud shows 208 vulnerability rules but I only see 97 rules in SonarQube running locally.
    Screenshot 2020-08-14 at 10.36.04 AM
    Screenshot 2020-08-14 at 10.35.43 AM
  • what have you tried so far to achieve this
    I thought it’s because I am using older version of Sonar Scanner with lesser rules. So I tried to upgrade the version of SonarScanner to latest 4.4 but still the same.


There are two things going on here.

First, it’s not your version of the scanner you need to upgrade, but of SonarQube itself. The current version of SonarQube is 8.4.1. Once you upgrade versions you’ll naturally see more rules.

However, the second thing going into this numbers difference is the edition. Presumably you’re on Community Edition, which offers fewer languages. Upgrading to a commercial edition will add more languages to your instance and thus naturally more rules.

In addition, upgrading to at least Developer Edition($) will add a few more key security rules to the languages you already have access to.

SonarCloud is running with the benefit of almost all the languages SonarSource offers, and the additional security rules for the languages in Community Edition.

As a final note, it’s worth pointing out that SonarCloud gets a trickle of new rules weekly as they’re developed, while new SonarQube versions get bulk deposits with each new release every ~2mo. So it’s likely that you won’t see SonarQube quite “catch up” because even on release day SonarCloud may be a week ahead.