the company which I work for is considering to start using SonarLint. We however have quite strict evaluation of each 3rd party piece of software we use. To do that we need a bit of information on SonarLint development process, in particular how it is ensured the application contains no vulnerabilities (e.g. code reviews, dependency management, static code analysis) and what information the application sends back to the vendor or any 3rd parties. Can you provide us with these details? Thanx in advance
We don’t provide details about our internal development processes except in the context of a commercial relationship relating to the SonarQube commercial editions. I think this is the first time we have received such a request for SonarLint.
SonarLint is an free, open-source product so you are free to conduct your own audit of the code, which is all available on GitHub.
We have a telemetry mechanism to monitor performance and feature usage. You can see an example of the payload here.