Potential buyer with questions around SonarQube (SQ)

Looking at purchasing SonarQube, and we’ve been evaluating the community edition so far, but we need a few more feature so we’re looking at Developer or Enterprise. I have some questions:

  1. Our build times have gone from 3 to 4 mins to 18 mins or so, but with SQ sat on the same server as Azure DevOps. What steps could be taken to improve the build time - more memory, dedicated server, more disk space (SSDs), etc?

  2. The Developer edition shows injection flaws - what are the specific rules for that? With the addition of PL/SQL, will it pick up SQL injection attacks, for example? Can injection flaw rules be customised, or added to?

  3. In the Developer edition, can security (within SQ) be customised so only certain users can do certain things, e.g. mark issues as resolved?

  4. What does the increased Governance look like in Enterprise, or better still, what do SonarSource define as governance?

Thank you.

Hello @mkingscott,
Replying your questions:

  1. Of course you should split the Azure DevOps server and SonarQube, having both on the same server can put cpu, ram and disks under stress. You can also assign more memory to the scanner with the aid of the SONAR_SCANNER_OPTS environment variable and eventually more memory to the compute engine.
  2. You can find all the available rules at: https://rules.sonarsource.com/java/type/Security%20Hotspot?search=injection
    I applied a filter on the security hotspot with the injection keyword so you can see what we can do in Java. You can search for other languages too.
  3. Permissions are the same whatever the edition so it will not change with respect to what you already know.
  4. Governance will give you the ability to create portfolios and applications, have pdf reporting on it and to move projects from an EE instance to another.