This question set looks like an initial due-diligence, so it’s worth mentioning that the latest SonarQube version is 9.3 (with 9.4 expected in early April).
Ehm… sometimes. We support 29 languages and we don’t have infinite bandwidth. If you’d like to narrow this down to specific languages, I can maybe find a better answer.
SonarQube runs on Java, meaning it’s largely OS-independent.
Again, probably.
For web requests, it’s going to be a question of the resources you give it.
For analysis “requests”, i.e. if you’re running thousands of analyses per day, that’s going to be a question of edition (you’ll want Enterprise Edition($$) or Data Center Edition($$$$) details) and resources.
Sure
No. You’ll want to put something in front of it. To be clear, we don’t expect your SonarQube instance to be exposed to the Internet and subject to non-accidental abusive requests.
During UI browsing? Sure. During analysis report processing? Probably not. I don’t think this is something we’ve tested.
Everything’s stored in the DB. At worst, you’ll have to wait for your Elasticsearch indices to rebuild.
Yes, although you’ll have to transfer some very basic settings stored in a config file by hand to the new version/instance.
Huh?
Again, you’ll need to provide some details to get a good answer.
@ganncamp Thank you for the response! Regarding the detection rules: What’s the update policy on the rules. The security rules will be changing from time-to-time to catch the vulnerabilities. How does sonarqube accommodate the rule update?
As I mentioned, you’ll need to provide some details before I can respond on the rules. As I stated at the beginning, we have 29 languages and non-infinite resources.