Q: Security-related rules - community vs free cloud vs Team plan

Must-share information (formatted with Markdown):

• which versions are you using ( Community Build v26.5.0.122743, Scanner sonar-scanner-8.0.1.6346-linux-x64)

• how is SonarQube deployed: Docker

• what are you trying to achieve: I ran a PoC with Community version. I’m trying to understand if commercial Team plan will find more security-related issues.

  I have a PHP Laravel project (~600K lines). The SonarQube Community Edition report shows 125 findings under the “Security” category, including 3 Blocker and 18 High severity issues.

  My question: does this generally indicate that the codebase is in relatively good shape, or is it likely that the Team plan would detect significantly more issues?

  For example, regarding SQL injection: the PHP rule “Use prepared statements to securely construct SQL queries” is enabled, but the scan reports zero issues. Could the Team plan’s additional analysis capabilities find SQL injection issues that are not detected in the Community Edition?

  I’m trying to understand how much additional security coverage the Team plan provides compared to Community Edition for a large Laravel codebase.

Hi,

It absolutely will. Taint analysis rules (injection detection) aren’t available in Community Build.

Reach out to contact@sonarsource.com if you’d like to do a 14-day free trial of Developer Edition($).

And as a side note, if at the end of the trial you decide to downgrade back to Community Edition, there won’t be any cleanup to do. Upgrade and downgrade are seamless.

 
HTH,
Ann

Thank you!

14-day free trial of Developer Edition($).
Do you mean Team plan?

Hi,

You filed this under SonarQube Server / Community Build. For server, there’s Developer Edition. For SonarQube Cloud, there’s the Team plan and all the rules are actually provided in all plans on Cloud. So for this particular question, how you frame it really matters. Are you looking at on-prem/self-hosted or SaaS?

 
Ann