SonarQube runs on Java, meaning it’s largely OS-independent.
For web requests, it’s going to be a question of the resources you give it.
For analysis “requests”, i.e. if you’re running thousands of analyses per day, that’s going to be a question of edition (you’ll want Enterprise Edition($$) or Data Center Edition($$$$) details) and resources.
No. You’ll want to put something in front of it. To be clear, we don’t expect your SonarQube instance to be exposed to the Internet and subject to non-accidental abusive requests.
During UI browsing? Sure. During analysis report processing? Probably not. I don’t think this is something we’ve tested.
Everything’s stored in the DB. At worst, you’ll have to wait for your Elasticsearch indices to rebuild.
Yes, although you’ll have to transfer some very basic settings stored in a config file by hand to the new version/instance.
Again, you’ll need to provide some details to get a good answer.
@ganncamp Thank you for the response! Regarding the detection rules: What’s the update policy on the rules. The security rules will be changing from time-to-time to catch the vulnerabilities. How does sonarqube accommodate the rule update?