What options are available using sonarqube to scan for code defects, bad practice, and security concerns in PostgreSQL DDL, SQL, and pl/pgSQL?
Research suggests there is no sonarqube scanner for PostgreSQL, can other scanners be used to validate e.g. SQL and DDL?
Is it possible to write our own rules (say using PMD)?
What options are there to use sonarqube to scan Postgres?
A similar question was last asked in 2019 here: Code analyzer or plugin for PL/pgSQL or pgSQL
Hey @mathewbutler
I’m not aware of any SonarQube plugins that accomplish this.
There appear to be some existing linting tools like GitHub - okbob/plpgsql_check: plpgsql_check is a linter tool (does source code static analyze) for the PostgreSQL language plpgsql (the native language for PostgreSQL store procedures)., if you were able to take that report and convert it to generic issue format, you might have something. You could also build a plugin around this (similar to how GitHub - sbaudoin/sonar-ansible: SonarQube plugin to analyze Ansible playbooks executes ansiblelint and then imports the report)
The project I work on is attempting to use the PLSQL scanner and modified rules to apply to Postgres plpgsql.
This isn’t ideal, but appears to give them some use.
The log file generated in the scan is very large though and the process takes quite a while.
There are a large amount of warn: Parse Error. One for each function/procedure declaration and BEGIN in the code. I expect this because the declarations in pg differ to oracle.
Is there some way to disable these checks?