Do you know about the ISO 5055 (cf :https://www.iso.org/standard/80623.html )?
It is a 2021 standard for automated code quality measurement.
Sonarqube should implement this norm and produce reports to tell the user the quality correctness based on the norm (next to the one based on customized quality rules) so that we could have both the norm quality evaluation and the project/enterprise configured evaluation.
We are aware of this new ISO document that was published recently, in March 2021.
There is no short term plan to provide a report in SonarQube showing if your software is compliant with this recent standard.
I understand that it is not in short term roadmap since it is quite new but what is it about a more long term like in one year ?
Do you think, in the future, you will invest in this topic ?
We prefer to invest on providing a good coverage of CWE Top 25 which is refreshed every year and based on data gathered from real past vulnerabilities.
i was just skimming through the amount of checks that are listed in this new ISO/IEC Standard (it is quite huge, imo - see here)
i, also, was a bit disappointed about seeing the question @nico7 stated kinda … dodged?
Compliance with a norm might be more persuasive - to some - than providing a good coverage of “community-developed list of software and hardware weakness types” (a.k.a. CWE 25)
So even if you prefer to invest on providing a good coverage of … CWE25 … do you think, in the future, you will invest in this topic?
Sorry if I was not clear. We have no plan as of now to provide a report to check if your code is having problems related to the 197 CWEs (I counted) listed in the ISO 5055 document. You can certainly do such report by using the SonarQube API. We also have no plan to implement the metrics defined in the document.
thank you for clarification @Alexandre_Gigleux !
(oh and to @nico7 too, for bringing this ISO norm to my attention 197 seems like a lot to chew on, actually )
How do you plan to implement all the 197 CWE? Is using multiple tools one of the strategies?