I am currently using sonarcloud.io to scan an open source project I’m working on.
How comparable are the built in rules with the checks done by pmd & findsecbugs (spotbugs+find-sec-bugs) on java code?
I have integrated both as external analyzers, and can see issues tagged findsecbugs & pmd in sonarcloud. I’m unclear how to filter them though, or how they feature in the metrics, and whether additional configuration is helpful.
How comparable is the sonar java scanner with proprietary tools like Fortify static analyzer (which also makes use of findbugs) both in terms of static code analysis, and bytecode analysis?
I’ve been comparing Fortify reports with sonar, pmd, findbugs
So far the critical/high sev issues I’ve seen reported by Fortify by the Data Flow & Control flow analysers are basically not appearing at all in Sonar, pmd, or spotbugs
Looking for recommendations for any plugins/ways to close the gap (ideally sonarcloud). Maybe there aren’t any …
It’s not always easy to compare analysis tools, some are better in one domain, others in other domain. Here we could help you about SonarJava. For PMD, findsecbugs and Fortify I would advise you to check their community support.
So if you want, you can show some examples of issues found by Fortify and not found by SonarJava, may be it’s possible to improve SonarJava.
I’m not sure there is a way to close that gap at least on sonarcloud (as it’s not possible to install community plugins). May be you can find other tools which reports you can import at external.
I’m really interested to have more details about the issues you would expect SonarCloud to discover. Today, our data flow engine is running in the background of the following rules for Java:
