[NEW RELEASE] Sonar Cloudformation plugin 1.0.2

Hi,

I have just released a new version of the Sonar Cloudformation Plugin:

best regards

Hi,

Is the implication here that you’d like the plugin to be included in the Marketplace?

 
:slightly_smiling_face:
Ann

Hi,

If it is possible I would like the plugin included in the Marketplace ?

Have added
PR in sonar-update-center-properties repo: https://github.com/SonarSource/sonar-update-center-properties/pull/50

The plugin complements the yaml plugin, since cloudformation templates analyzed by cfn-nag always are in yaml format.

Best regards James

Hi James,

The check sweep of the requirements looks good. I’ve asked for some changes on your PR.

For initial Marketplace entry I need to test. Can you provide a project that has a report file available? I’m too lazy to be eager to install all the underlying tooling. :smiley:

 
Ann

hi,

The project itself contain some report files used for test https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/src/test/resources/cfn-nag-scan.nagscan , result of cfn-nag on https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/src/test/resources/CloudTrailAllAccounts.yml .

Please let me know if it’s enough or I can create another sample project.

best regards James

Example project using the plugin https://www.hack23.com/sonar/project/issues?id=com.hack23.cia%3Acia-all&languages=cfn&resolved=false

Hi James,

I’ve had a chance to analyze with your test files (thanks!). First, analysis worked well, and your rules look good.

There are a couple things that need addressing:

You appear to have defined Cloudscan as a new language(?). At least it shows up as such on the Quality Profiles page and on the Rules page. Since we’re actually dealing with .yml files here, then these need to be treated as YAML rules, and your default profile needs to show up under YAML.

Additionally, I see that you’ve added two new administration categories under General settings: Cloudformation, and Sonar cloudformation plugin. Since these are both about subsets of YAML files, I think they should be moved under the YAML category.

 
Ann

Thanks for the feedback, will resolve the issues and release a new version during the weekend.

best regards James

One problem with not defining a separate language is that it is not possible to define a specific quality profiles. So if I have a default yaml quality profile I will need to add all cloudformation rules there as well.

Cloudformation is a DSL in yaml format, so the rules above only apply to a very small subset of yaml.

Any other workaround to be able to have a specific quality profiles without a language ?

best regards James

Hi James,

You don’t have to have your own language to define a profile. :smiley:

I’m struggling to recall which “external analyzers” define extra profiles for their languages (maybe FindBugs?) but I believe the PHP analyzer provides multiple profiles. Both are open source, so you could take a page out of their books.

What you can’t do without your own language is make your profile the default, but as you say your rules apply to only a subset of YAML files, so you wouldn’t want to do that anyway.

 
Ann

Hi,

Thanks for all the feedback, but will close my pull request for marketplace.

Like having a default profile for cloudformation, changing this would make it harder to use the plugin for my own usecases.

best regards