Sonar Community - Enterprise edition query

Karthik_Ramachandran · October 12, 2023, 12:53am

As-Is I’m using Sonar 9.9 LTS . However, I got some queries when I was going to
Download | SonarQube to understand latest

Community Edition says “Detect Bugs & basic Vulnerabilities” and Developer Edition says “Detection of advanced vulnerabilities including Injection Flaws”. I was going to multiple docs in sonar and could not find the difference between what is categorized as basic vs what is advanced. I believe it is a set of rules that may not be available. However, what rules are they? Examples?
" deeper SAST" - Is it applicable for all editions including community?
Compute engine performance - It says it may impact accuracy. What exactly is impacted?

Requested mandatory Info

9.9 LTS
.zip
understanding differences between editions and why EE
Read docs

Thanks for clarification

ganncamp · October 13, 2023, 2:59pm

Hi,

The ‘advanced’ vulnerabilities are those detected with taint analysis, which follows user input from its source, all the way through the program - across methods and classes - to where it’s used. ‘Basic’ vulnerabilities are those that can be detected just within the method (or sometimes the class) context.

Nope. Commercial editions only.

Per the docs you linked (emphasis mine),

may impact the accuracy of issue tracking between branches.

I believe this is about understanding what branch an issue started in, and probably which branch’s status (Open vs False Positive or Won't Fix) is authoritative. More here.

HTH,
Ann