New Plugin Submission: Wolfram Mathematica Language Analyzer (Wolfralyze)

SonarQube Server / Community Build Plugin Development
1

Dear SonarSource Marketplace Team,

I am submitting a new plugin for the SonarQube Marketplace: Wolfralyze, a comprehensive code quality and security analyzer for the Wolfram Mathematica programming language.

Plugin Overview

Name: Mathematica
Key: mathematica
Version: 1.0.0
License: AGPL-3.0
Repository: GitHub - bceverly/wolfralyze: SonarQube plugin for Wolfram Mathematica - Code duplication detection and static analysis
Website: wolfralyze.org

Description

Wolfralyze brings Tier 1 language support to Wolfram Mathematica, a language widely used in scientific computing, data science, machine learning, and computational research. This plugin provides comprehensive static analysis with:

  • 529+ Quality Rules covering:

    • 27 Security Vulnerability rules (SQL injection, command injection, XSS, hardcoded credentials, crypto weaknesses)
    • 29 Security Hotspot rules
    • 162 Bug Detection rules
    • 247 Code Smell rules
    • Performance anti-patterns

  • Advanced Features:

    • Symbol table analysis for variable lifetime and scope tracking
    • Copy-paste detection (CPD)
    • Syntax highlighting for .m, .wl, and .wls files
    • Code metrics: Lines of code, cyclomatic complexity, cognitive complexity
    • Test coverage support (native Wolfram format)
    • 53 automated quick fixes

  • Security Analysis:

    • Command injection detection
    • SQL injection detection
    • Hardcoded credentials detection
    • Cryptographic weakness detection
    • Path traversal vulnerabilities
    • OWASP Top 10 coverage

Screenshots

Visual demonstrations are available showing:

  1. Dashboard Overview - SonarQube dashboard showing comprehensive quality metrics
  2. Issues Detection - Detailed issue list with security vulnerabilities, bugs, and code smells
  3. Code Analysis - Syntax highlighting and inline issue detection in Mathematica code
  4. Rule Documentation - Comprehensive rule explanations with Mathematica-specific guidance
  5. Quality Profile - Complete view of 529+ rules organized by category
  6. Plugin Installation - Successful integration with SonarQube marketplace

Screenshots are in the repository at: docs/images/screenshots/

Technical Details

  • Minimum SonarQube Version: 9.9
  • Java Version: 11+
  • Supported File Extensions: .m, .wl, .wls
  • Plugin Size: ~800KB
  • Test Coverage: 94.9%

SonarCloud Quality Gate

Project ID: bceverly_wolfralyze (viewable on SonarCloud)

Status: :white_check_mark: PASSING (Quality Gate: A rating)

  • Coverage: 94.9%
  • Bugs: 0
  • Vulnerabilities: 0
  • Security Hotspots: 0
  • Code Smells: Minimal
  • Duplications: 0.0%

Quality Assurance

The plugin has been:

  • :white_check_mark: Thoroughly tested with 94.9% code coverage
  • :white_check_mark: Analyzed on SonarCloud with zero critical issues
  • :white_check_mark: Validated against the SonarQube Plugin API
  • :white_check_mark: Tested on SonarQube 9.9+ and 10.x
  • :white_check_mark: Documented with comprehensive user guides
  • :white_check_mark: Licensed under AGPL-3.0 (marketplace-compatible)

Release Assets

The v1.0.0 release includes:

  • wolfralyze-1.0.0.jar - Plugin binary (SHA256 verified)
  • wolfralyze-1.0.0-sbom.json - Software Bill of Materials (SBOM)
  • update-center-properties - Marketplace metadata

All releases are:

  • Automatically built via GitHub Actions
  • Cryptographically signed with SHA256 hashes
  • Accompanied by SBOM for supply chain security
  • Available in the GitHub repository releases section

Target Audience

This plugin serves:

  • Scientific computing teams using Wolfram Mathematica
  • Data scientists and researchers
  • Educational institutions teaching computational mathematics
  • Organizations using Mathematica for financial modeling, engineering simulations, and data analysis

Mathematica is used by thousands of organizations worldwide, and this plugin fills a gap in the SonarQube ecosystem by bringing enterprise-grade code quality analysis to this important language.

Supporting Materials

The repository includes:

  • Complete documentation in GitHub Wiki format (docs/ directory)
  • Installation and configuration guides
  • Rule catalog with all 529 rules documented
  • CI/CD integration examples (GitHub Actions, GitLab, Jenkins, Azure, CircleCI)
  • Test project with intentional issues for demonstration
  • SBOM guide for security and compliance

Developer Information

Organization: Bryan C. Everly
Contact: Available in repository

I am committed to maintaining this plugin and providing timely updates for new SonarQube versions and rule enhancements.

Marketplace Compliance

This plugin:

  • :white_check_mark: Follows SonarQube Plugin API guidelines
  • :white_check_mark: Uses only documented, stable APIs
  • :white_check_mark: Includes proper metadata in .sonarsource/metadata.json
  • :white_check_mark: Provides clear installation and configuration documentation
  • :white_check_mark: Uses an OSI-approved open-source license (AGPL-3.0)
  • :white_check_mark: Includes automated testing and quality gates
  • :white_check_mark: Provides SBOM for security transparency
  • :white_check_mark: Does not compete with existing SonarSource offerings
  • :white_check_mark: Provides NCLOC and NCLOC_DATA metrics for language support

Demonstration

A fully working demonstration project is available (wolfralyze-test-project repository), which includes:

  • Sample Mathematica code with intentional issues
  • Unit tests with native coverage generation
  • Complete SonarQube integration
  • Documentation for reproducing the analysis

Pull Request

I have created a pull request to sonar-update-center-properties with the plugin metadata file (mathematica.properties).

Next Steps

I am available to:

  • Provide additional documentation or screenshots
  • Answer technical questions about the implementation
  • Make any necessary modifications to meet marketplace requirements
  • Participate in code review or security audit processes

Thank you for considering Wolfralyze for the SonarQube Marketplace. I look forward to bringing comprehensive Mathematica language support to the SonarQube community.

Best regards,
Bryan C. Everly

2

Hi Bryan,

Welcome to the community and congrats on your plugin!

And wow! I’ve never had an inclusion request that’s so comprehensive. :star_struck:

So, a few things:

This is actually a problem, and violates rule 3 of the requirements. I know keying the plugin to the name of the language seemed like the clear, straightforward, no-brainer thing to do, but well…

I suggest you re-key to your website: wolfralyze, altho it’s really completely up to you. It just can’t be just the name of the language. (community-mathematica is a bit long but otherwise acceptable, and we can stretch this time if you want to go this route.) Note that this isn’t just a change to you PR. You’ll need to change the key in your pom and re-build because they key in the artifact has to match the properties file name, or the data generation job will break.

Barring the testing, the rest of the bureaucratic requirements look fine.

On the topic of your PR, please take a look at the Update Center project README. You’ve been a bit enthusiastic with the properties in your plugin file. :sweat_smile: And don’t forget to register your plugin (once you’ve re-keyed it) in update-center-source.properties.

Can you provide a link to this project so I can download & test, please? I can go ahead & work on that before you re-key. (Note that I’m here today & tomorrow & then off the rest of the week, so there are likely to be some delays.)

 
Thx,
Ann

3

Ann,

Thanks so much for looking at this. Here is the URL: GitHub - bceverly/wolfralyze-test-project: This is a project that will be used by my SonarQube Mathematica plugin to demonstrate capabilities

4

Hi,

Thanks for the link. I didn’t feel like installing Mathematica, so I don’t know what the test import looks like. And what I did test looks good.

So we’re just waiting on a new/updated PR.

 
Ann

5

Ann,

I have updated the PR so I think that’s what you need. Please let me know and thanks again!

  • Bryan
6

Had to bump the version number to 1.0.2

Hopefully that’s not an issue. :slight_smile:

7

Hi,

Not at all. I do need another change to the PR tho.

 
Ann

8

Took care of it (I believe). Thanks for the help!

By the way, when I am approved and make a revision to my plugin, does it require manual work on your guys end? I was planning on setting up a github action that, after all of my CI completes successfully would just push the new version. I don’t want to make a bunch of work for folks though.

9

Hi,

I merged your PR, but I’ve had to partially roll it back because you’re missing defaults.mavenGroupId and defaults.mavenArtifactId. Sometimes you can get away without them, but not this time, apparently. Check the README.

Regarding updates, you’ll need to submit a PR for each and there’s work on our (my) end to review and merge them and to click the button to run the file generation job. It’s not burdensome, so don’t hesitate to update as often as you like.

 
Ann

10

Awesome. Thank you for your help Ann. I submitted another PR to fix those properties so hopefully that cleans things up.

11

Hi,

You’re in! :tada:

 
Ann

1 Like
12

Thanks Ann! I know that an admin sees plugins available within the application itself but is there a public website that lists all of the plugins available that I could point potential users to?

Bryan

13

@bceverly I think the closest you’ll get is the Plugin version Matrix!