Sonar developtment vs sonar cloud free version

juangonzalezo · November 2, 2021, 6:22pm

Hi team.

We have the SonarQube Development version as part of the security toolkit. We wanted to test the sonar effectiveness, then we performed a set of tests over OWASP Benchmark (it’s just a java project with different vulnerabilities (link)). The problem is that we got better results with the free version of sonar cloud.

Test data

• SonarCloud free version (Sonar way quality profile)
• SonarQube Developer Edition Version 8.5.1r (Sonar way and sonar way security quality profiles)

In all cases, Sonar way was used as quality gate.

Definition
Success: It is a True positive. It happens when a file has a vulnerability, and sonarQube was able to detect this vulnerability.

Results with the configuration of your quality profile

• Sonarcloud achieved a 40.28% of success

• Sonar development with sonar way quality profile achieved a 15.9% of success

• Sonar development with sonar way security quality profile achieved a 10 % of success

We would like to know if there is an alternative to improve sonar performance in detecting these vulnerabilities. I think it is a configuration issue but I would like to get some ideas.

ganncamp · November 3, 2021, 7:52pm

Hi,

Welcome to the community!

It’s not clear to me why you would test with 8.5.1. It’s past EOL. Please try again with 9.1. Its analysis should be nearly* comparable with SonarCloud.

Ann

^{*SonarCloud is updated more frequently than SonarQube is released, so it is naturally ahead of SonarQube at least some of the time.}

juangonzalezo · November 3, 2021, 9:55pm

Hi @ganncamp
The reason is because this is the license that we bought and have installed, and I think that to upgrade to version 9.1 is necessary to buy another license

ganncamp · November 4, 2021, 5:38pm

Hi,

Licenses are to editions, not versions. If your license is current you can use it on any version without requiring a new license.

Ann