SonarQube and ISO 5055

nico7 · June 29, 2021, 2:57pm

Hi,

Do you know about the ISO 5055 (cf :https://www.iso.org/standard/80623.html )?
It is a 2021 standard for automated code quality measurement.
Sonarqube should implement this norm and produce reports to tell the user the quality correctness based on the norm (next to the one based on customized quality rules) so that we could have both the norm quality evaluation and the project/enterprise configured evaluation.

Regards,

Alexandre_Gigleux · July 14, 2021, 12:35pm

Hello,

We are aware of this new ISO document that was published recently, in March 2021.
There is no short term plan to provide a report in SonarQube showing if your software is compliant with this recent standard.

Alex

nico7 · July 21, 2021, 6:21am

Hello,

I understand that it is not in short term roadmap since it is quite new but what is it about a more long term like in one year ?
Do you think, in the future, you will invest in this topic ?

Regards,

Alexandre_Gigleux · July 21, 2021, 9:48am

We prefer to invest on providing a good coverage of CWE Top 25 which is refreshed every year and based on data gathered from real past vulnerabilities.

daniel · July 21, 2021, 12:45pm

hi there,

i was just skimming through the amount of checks that are listed in this new ISO/IEC Standard (it is quite huge, imo - see here)

i, also, was a bit disappointed about seeing the question @nico7 stated kinda … dodged?

Compliance with a norm might be more persuasive - to some - than providing a good coverage of “community-developed list of software and hardware weakness types” (a.k.a. CWE 25)

So even if you prefer to invest on providing a good coverage of … CWE25 … do you think, in the future, you will invest in this topic?

cheers
Daniel

Alexandre_Gigleux · July 21, 2021, 2:10pm

Hello,

Sorry if I was not clear. We have no plan as of now to provide a report to check if your code is having problems related to the 197 CWEs (I counted) listed in the ISO 5055 document. You can certainly do such report by using the SonarQube API. We also have no plan to implement the metrics defined in the document.

Alex

daniel · July 21, 2021, 2:14pm

thank you for clarification @Alexandre_Gigleux !
(oh and to @nico7 too, for bringing this ISO norm to my attention 197 seems like a lot to chew on, actually )

Shuvanshu_Jakhmola · August 29, 2021, 12:17pm

How do you plan to implement all the 197 CWE? Is using multiple tools one of the strategies?

ganncamp · March 2, 2022, 8:17pm

A post was split to a new topic: Does SonarSource Implement secure coding practice

Richard_Sweer · October 22, 2022, 10:05am

Please look at TIOBE (www.tiobe.com). TIOBE checks 73% of ISO 5055 or CAST (www.castsoftware.com). I think CAST will check 100% of ISO 5055.

Topic		Replies	Views
Do we have a ISO 5055 framework view in SonarQube SonarQube Server / Community Build	1	1226	December 15, 2021
CISQ standard compliance SonarQube Server / Community Build sonarqube , rules , quality-profiles	1	1056	June 12, 2020
Successful adoption of SonarQube to improve code quality SonarQube Server / Community Build sonarqube , azuredevops-services , best-practices	10	3985	August 7, 2018
Industry standards for Quality Gates? SonarQube Server / Community Build	5	1599	April 1, 2021
[Webinar] Code Quality at Warp Speed: Powering Up Continuous Delivery with Static Code Analysis Sonar Updates webinar	4	112	August 30, 2024

SonarQube and ISO 5055

Related topics