SonarQube vs SonarScanner : what does what

Alexandre · March 21, 2024, 11:54am

Hi,

I’ve been searching around for information about what exactly role have SonarQube and SonarScanners and still I’m a bit confused.

FYI: I’m using SonarQube docker 10.3, sonar-scanner 2.7 and sonar-scanner-msbuild 5.15.0.

The two most relevant information I have are from the SonarQube documentation:

Analyzing source code overview

and a question from this forum:

What is the relationship between SonarScanner and Sonar code analyzer

Yet I still wonder: what actually are doing the SonarScanners ?

Do they simply send the code, the actual text, to SonarQube, and SonarQube runs the analysis and provides graphical display ?
Do they perform the code analysis and send the result to SonarQube ? In this case, is SonarQube just a graphical display of data sent by the wrapper ?

My last question depends on the answer to the above questions:

Why do we need wrapper, except for having unit test results, if it just sends files to SonarQube for static code analysis ? The underlaying question here is: wouldn’t it be faster to provide a given branch of a git repository for SonarQube to checkout it and perform its analysis ?

Thanks in advance for your time,
Alex.

Colin · March 22, 2024, 9:38am

Hey there.

The sonar-scanner orchestrates and runs the analysis, generating all the data (issues) that is sent to SonarQube for processing (tracking issues, computing measures, and integrating with other services such as running Webhooks or decorating pull requests).

With the sonar-scanner you would just have a list of issues. With SonarQube, you can track the state of your codebase overtime, manage the results, and make sure you focus on, for example, new code.

This is something that’s possible with SonarCloud + GitHub and Automatic Analysis, although it has some limitations described in the docs.

Alexandre · March 22, 2024, 10:01am

Hi,

Thanks a lot much clearer now !

Then if I fully understant how Sonar is working:

If I need compatibility with new cybersecurity issues: CWE and new OWASP that would be released after the OWASP-2021 I would have to update both the sonar-scanner for it to properly find the issues and the SonarQube to display the issue with the proper filter ?
If I need compatibility with a new language revision (let’s say C++24 or .Net 8.0) tht was not supported before, I simply need to update the SonarScanner as it is the one performing the analysis and SonarQube only manage the display ?

Regards,
Alex.

Colin · March 22, 2024, 11:12am

The sonar-scanner is occasionally updated to interact better with SonarQube, but ultimately it’s downloading all the logic from SonarQube. So you should keep the sonar-scanner updated, but for new rules and new language revisions, what really matters is the SonarQube version.

Alexandre · March 25, 2024, 8:23am

Thank you, you answered all my questions

system · April 1, 2024, 8:24am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
What is the relationship between SonarScanner and Sonar code analyzer SonarQube Server / Community Build	6	8931	January 6, 2020
Need info on how Sonar Analyzer works. Need architecture flow on how internally sonar analyzer scans code and lines of code SonarQube Server / Community Build sonarqube , scanner	7	1394	October 11, 2021
Detailed Explanation of Code Analysis Process in SonarQube SonarQube Server / Community Build sonarqube , scanner	2	33	August 5, 2024
Is it safe to use SonarQube regarding my source code? SonarQube Server / Community Build sonarqube , scanner	1	1068	December 29, 2022
SonarScanner .NET vs SonarScanner CLI for C# code SonarQube Server / Community Build scanner , github , dotnet , github-actions , roslyn	3	830	March 4, 2024

SonarQube vs SonarScanner : what does what

Related topics