Our usual practice is to post the consolidated Q&A from a webinar here in the community afterward. It has taken a little longer this time because we wanted to include the questions from all three editions of the City Tour, but now we’re finally ready. There’s a lot here, so I’ll start with a table of contents:
Q. Does the SAST scan understand Azure Functions /AWS Lambdas ?
Q. OWASP Top 10 2021 was published recently. Do you have a roadmap for mapping the new items?
A. The CWE Top 25 2021 was published in late July and the very next version of SonarQube, 9.1, included that report. For the OWASP Top 10 2021, work has already started, and we’re hoping to begin delivering in early 2022.
Q. What’s the difference in breadth (language coverage) and depth (CWEs) between SonarSource products (SonarQube, SonarCloud, SonarLint)?
A. All our products share the same analysis engine (and when connecting SonarLint to SonarQube or SonarCloud, the exact same versions of analyzers). Some advanced issues (like injection vulnerabilities) require a SonarQube/SonarCloud analysis. A high-level overview of Code Security support across various languages (divided by OWASP Top 10 category) is available here: SonarQube covers the OWASP Top 10 | SonarQube
Q. Was your SAST solution developed internally ?
A. It’s entirely developed internally. We believe it’s the only way to keep control over what we deliver and drive the innovation
Q. Can I move a Security Hotspot to the Vulnerability category?
A. Changing the category can confuse the action developers need to take to resolve a Security Hotspot, so that’s not available. Security Hotspots require a review and Vulnerabilities require a code fix. If you feel a Hotspot is a true vulnerability you should make a code change and then mark it as “Fixed” in the UI.
Q. We develop in Scala and would like to use SonarQube for SAST analysis of our Scala projects. But there aren’t any rules yet. Are there plans for adding Scala SAST rules?
A. While we are continually improving our capabilities, additional SAST languages aren’t on our short-term roadmap. We encourage you to make a suggestion via our Community (https://community.sonarsource.com) and our Roadmap page.
Q. Besides your SAST analysis, do you have plans to cover other aspects of security such as DAST, IAST, and SCA?
A. At SonarSource we do static analysis, so SAST is natural for us, and our focus and determination have very much been on offering the best possible SAST engine possible! DAST AND IAST just aren’t in scope for us. Nor is traditional SCA (database of vulnerable against dependencies). However pushing SAST even further can lead to interesting opportunities to uncover vulnerabilities in the dependencies themselves and that’s something we’re exploring.
Q. What is the differentiation between SAST Coverage in Community and Commercial Editions.
A. Community Edition includes all our Security Hotspots plus important Security Vulnerability rules that are foundational to a secure code base. Commercial editions add taint analysis rules that follow user-supplied data through your code’s execution flow to detect tricky injection vulnerabilities. Thus they go a good bit further toward securing your code, your assets and your users.
Q. What kind of product certifications (E.G. ISO, CFR) can SonarSource help me with?
A. While we don’t offer any particular certification, we do tag our rules with the certifications that they’re relevant for. For example, take a look at a language like C++ on our rules site, you can see how you can filter by the misra tag: Rules explorer.
Q. Can you talk about your SAST scanning rules and where your analysis stands with regards to the OWASP benchmark and your competitors?
A. We don’t make direct comparisons with competitors because when making such comparisons everyone’s going to choose the standard or test that makes them look best. Instead, we invite you to request a free trial license and make your own comparisons. Because the only thing that really matters about a SAST analyzer is how it performs for you on your code. When you make that comparison we ask only that you not take raw issue counts as the measure of effectiveness. Instead, examine all the “extra” or “missing” issues to see whether they’re true or false positives. Regarding benchmarks, you may be interested in this tech story written by our Security Product Manager: Takeaways from building a SAST product, and why OWASP benchmark is not enough [Tech Story] Takeaways from building a SAST product, and why OWASP benchmark is not enough - #3 by Alexandre_Gigleux. And we are actively seeking inputs and suggestions on the benchmarks you are using that could help us improve our engine. Security Benchmarks - Calling for your input & suggestions!
DevOps Platform integrations
Q. Can you point me to the documentation on pull request decoration?
A. The answer will depend on the DevOps platform integration you are considering. Currently we provide PR decorations for : GitHub Enterprise and GitHub.com, GitLab Self-Managed and GitLab.com, Bitbucket Server, and Azure DevOps. More details can be found in our doc here : Pull Request Analysis | SonarQube Docs
Q. How do I break my build when the Quality Gate fails?
A. Take a look at this documentation: Overview | SonarQube Docs
Q. Do you integrate with Copado?
A. We don’t have specific integrations for Copado, but analysis is triggerable from any CI/CD. It’s just that it will be a more manual process to get it set up.
Q. Can we integrate SonarQube and GitHub without using GitHub Actions?
A. Yes! GitHub integration can be used without Github Actions: GitHub Integration | SonarQube Docs. Internally, that’s what we do ourselves
Q. In Enterprise Edition I can configure multiple instances of a DevOps Platform (e.g. multiple instances of Azure DevOps). How does project onboarding work with that?
A. That’s a limitation of our current implementation. We’re aware of it and this is something we are looking at for the future.
Q. Does MR decoration in Gitlab require the use of Gitlab CI?
A. Not at all! We’re aware that Jenkins is very popular with GitLab users and it’s well supported too.
Q. Would it be possible to modify the on-boarding procedure to take in account our specific tools (for example such as our own Gitlab-ci templates)?
A. Gitlab, Jenkins and Azure DevOps are all supported CI platforms that will generate basic pipelines for you at the end of the onboarding process.
Q. For projects created from CI is there any way to choose the Quality profile from sources/analysis configuration, and more generally any analysis settings?
A. In fact, most aspects of analysis are configurable via analysis parameters. The exceptions are Quality Profile and Quality Gate selection. Those need to be configured via the UI.
Q. What is your monorepo support?
A. Specifically in SonarQube v8.9 LTS, SonarQube supports Pull Request decoration when multiple builds/SonarQube analyses are triggered for a single repository. Monorepo support for PR analysis is available in Enterprise Edition and above starting in SonarQube 8.9 LTS.
Q. Which versions and editions offer Docker and Kubernetes support?
A. All editions offer Docker support from version 8.9 and above. Similarly, Community Edition, Developer Edition, and Enterprise Edition support Kubernetes from 8.9. Kubernetes support is currently (SonarQube 9.1) in Beta, with an expected GA release with 9.3, E.T.A. mid-January.
Q. Can you please provide the link to docker image for CI and the official Helm chart?
A. "You can find the Helm linked here in our documentation along with lots of additional information:
If you are using one of our supported DevOps platforms, the scanner image is available as part of the project onboarding within SonarQube or from their marketplace.
Otherwise, each scanner is listed here, including the Docker image version - which can be integrated into a CI:
Github - GitHub Integration | SonarQube Docs
Gitlab - GitLab Integration | SonarQube Docs
Azure - Azure DevOps Integration | SonarQube Docs
Bitbucket Server - Bitbucket Server Integration | SonarQube Docs
Bitbucket Cloud - Bitbucket Cloud Integration | SonarQube Docs
Q. The 18-month LTS cycle is quite long. This prevents enterprises like us (who want to stay on LTS versions) from using new features/improvements. Are there any plans to reduce this cycle time and release LTS more often ?
A. "Well, “long” is a matter of perspective. Some customers ask for a longer LTS period than 18 months. Choosing between LTS and Latest is a balance between stability and features. If you want new features more often than every 18 months, you might want to reconsider your policy of sticking with the LTS.
Q. Starting with LTS 8.9 coding rule false positives are no longer fixed in LTS versions. This is a pain for our company and for our developers. Will this decision be reverted?
A. If you’ve decided to not be on the latest and greatest version of SonarQube but to adopt the LTS version, you’ve most probably adopted it for its stability. We realized it doesn’t make sense to support language upgrades in the LTS since they can have a strong impact on the issues that are raised for your projects. The LTS offers fixes for the most severe issues. We don’t anticipate much traction on the need to backport false-positive fixes to the LTS. However, should you have a case, we encourage you to raise a comment on this specific one and explain why you think it deserves to be fixed in the LTS.
Q. What are the differences between the open source Community Edition and Enterprise Edition? A few of the injection detections (crucial for SAST) are only available in Enterprise. Also reporting seems to only be available in Enterprise Edition. And what about PR analysis and decoration?
A. "In fact, both PR decoration and taint analysis are available starting in Developer Edition, but reporting is only available starting from Enterprise Edition. The Plans and Pricing page is a great place to learn more about the differences in the versions: Plans & Pricing | SonarSource
Q. What versions are fully supported? In the past only the LTS version was supported. Is that still the case?
A. Both the LTS and the Latest version are fully supported for all editions. The thing to be aware of is that if you move from the LTS (8.9.2) to the Latest version (currently 9.1) you’re committing to upgrading approximately every two months to stay on the latest version. With great power comes great responsibility. Read more about what an LTS version of SonarQube means here: SonarQube Long Term Support version | SonarQube
Q. Is the reporting included in Enterprise Edition configurable, or fixed-format?
A. They are fixed format . If you want something more customizable, you will have to build up your own report from the different Web API we provide (Web API are documented from footer pages of your SonarQube instance). It will involve you convert the Web API output (JSON) into your report format (e.g PDF)
Q. Can we group the projects into different project groups to be able to measure a general situation of the metrics of each group?
A. It sounds like you’re looking for Applications and Portfolios, features of the Developer and Enterprise Edition of SonarQube respectively, which provide this kind of reporting.
Q. My organization uses sonarqube. How can I reach out to the support team if technical support is needed?
A. If you have purchased a commercial license and support, your organization was given access to our Support helpdesk. Your instance administrator will likely have the details. However, anyone can leverage our Community site: https://community.sonarsource.com/. It’s a great place to find all kinds of information, ask questions and learn about new SonarQube features.
Q. As you mention that in 9.1 you are also providing support for cloud like AWS lambda. How about support for Google cloud and azure cloud
A. "Support of Azure and Google Cloud Functions is also in the roadmap for the 9.x series.
Q. What about C++/C# shared build projects?
A. This case is covered in our documentation - see C/C++/Objective-C | SonarQube Docs
Q. No Kotlin support?
A. In fact, the LTS includes Kotlin support and we’re making Kotlin one of our focuses for the 9-series and have already added significant new rules for Kotlin in 9.0 and 9.1 with more to come!
Q. Any plans to support Go in future releases?
A. We already support Go! See the rules site for a full list of available rules: Rules explorer
Q. What about XCode?
A. Generally speaking on the topic: we most definitely support analysis of Objective-C and Swift, which are the programming languages you’d generally use with XCode. You can see the rules we offer for those on https://rules.sonarsource.com/. And additional feedback/questions are welcome on https://community.sonarsource.com!
Q. Could You give us more info about SQL support?
Q. What are the technologies supported for Infra as Code. Does it cover ARM Templates, etc?
A. With SonarQube 9.2 we’ll begin supporting Terraform and CloudFormation. ARM Templates are supported to determine the entry points of AWSLambdas. This is used by our injection engine to detect vulnerabilities in your AWS Lambdas written in JS (from SonarQube 9.1) and Python soon (in 9.2).
Q. How do you use the Terraform analysis in SonarQube?
A. Terraform analysis will be available starting with SonarQube 9.2 (9.1 is currently the Latest release). Once it’s available, using it will just be a matter of running a standard analysis.
Q. What new code languages have been introduced since SQ 8.1
A. No new languages have been introduced in the 8.x version of SonarQube, but you’ll find heaps of updates to existing languages (see point #4 here: https://blog.sonarsource.com/sonarqube-lts-89-extra-features).
Q. Can we scan Dockerfiles? Kubernetes manifests? What about adding support for more languages, like Dart, Erlang, R, Fortran, Powershell and Groovy?
A. "We don’t currently have plans to add any more languages in the near future. Scanning of Dockerfiles and Kubernetes files are our next targets in the context of securing InfraAsCode (IaC). We will look at that once we’ve made progress on AWS, Azure, and GCP. We received a lot of requests to support Dart/Flutter from mobile developers, so there is a great chance that we will add it to the plan for 2022 in the context of Secure Mobile Apps.
Q. We have seen that the support .NET application is a bit cumbersome. Do you have some recommendations on this?
A. Analyzing .NET solutions does require some additional work as it’s a compiled language, and the analyzers run during the compilation. That said, various CI integrations (Overview | SonarQube Docs) are offered that should help you configure analysis more easily. Need more help? Reach out on the Community: https://community.sonarsource.com/. We also have community guides on our Community Forum. You can check the .NET specific ones here: Topics tagged dotnet
Q. In 8.9 analysis with security rules is slow, especially for Java. It was much faster on 7.9. When can we expect rule optimization?
A. Since 7.9 we’ve added more taint analysis rules and we’ve rewritten the taint analysis engine to do a deeper, more thorough analysis. So there is a natural and expected impact on the speed of analysis. That said, we have found that running analysis with Java 11 is faster than with Java 8. Also, we significantly optimized the performance of our taint engine in SonarQube 9.1, which runs taint analysis rules 50% faster on average than 8.9 (The security analyzer runs faster than ever on SonarCloud 🚀).
Q. Can you explain how analysed LOC are computed? For example for GO projects, are
vendor/* folders scanned, accounted for?
A. The scope of code will mostly depend on how your analysis is configured. As shown in our documentation on “Narrowing the focus” (Narrowing the Focus | SonarQube Docs) you can be specific in how you include/exclude some part of your source code. Only files that match some file extensions (like .go) will be considered for the LOC by the Go analyzer.
Q. What’s the granularity of the new Project PDF report? Are there details of the Security issues or just general metrics?
A. The new Project PDF report contains an overview of new code metrics and categories of issues. Information on specific issues remains in the SonarQube UI. However, the Security reports do offer more detailed information on the types of outstanding Vulnerabilities and Security Hotspots.
Q. What will the format of the audit trailing be? Will there be a UI or just a log?
A. In SonarQube 9.1 we’ve added a downloadable log in a JSON format, ready for parsing and importing into other tools.
Q. Do you have any plans for creating more reports in the Developer edition of SonarQube?
A. We do have plans to add more reports, but not in Developer Edition. We tend to consider reporting an enterprise level feature. You can view features under consideration on our public product board. Under consideration - SonarQube | Product Roadmap"
Q. How can you fix the issues from the last analysis?
A. You can always resolve an issue in the code by fixing it in the code and letting the analysis run again. Warnings that are specific to an analysis are the same but they are context sensitive to your particular environment. We recommend you bring these kinds of issues to our community forum https://community.sonarsource.com/. This is the best place to gather more info."
Q. Can you assign different Quality Gates to different branches of a project? Say I only want /release branches or /feature branches to have Quality Gate enforcement. **
A. Every branch and pull request of a project uses the same Quality Gate.
Q. Can analysis smartly detect that there were no changes in the code and then skip analyzing?
A. The assumption is that if you trigger analysis you want analysis to run. We haven’t built any short-circuit mechanisms and we aren’t contemplating adding any.
Q. Can we send a QE functional test code coverage report of the project to SonarQube? What about regression test metrics such as code coverage of dynamic tests?
A. At this time, we only support unit test type code coverage reports. However you can always submit an idea here: SonarQube | Product Roadmap
**Q. Is there any plan to allow configurable ‘main’ branch names per project? With different teams using different development methodologies and an industry move towards updating terminology (master → main, etc), it’s not always practical to have one setting apply to the whole instance. **
A. For repos we’re aware of this and that’s why new projects that are on boarded from your DevOps platform take the main branch name directly from your repository. We also have plans to allow you to rename the main branches of established projects.
Q. Any major improvements with SonarLint ?
Q. You can have a look at what’s delivered and what is next to come at Product Roadmap | SonarLint. What’s more you can comment, upvote features we are currently considering and even propose new ones!
We have initiated a Shift Left Code Quality and Security program with our developers and urge them to adopt SonarLint within the IDE and to use it in connected mode to apply the same ruleset in-IDE that’s applied by SonarQube. Is there any SonarQube functionality to see the adoption of SonarLint among our developers?
A. Right now, the only way to track SonarLint adoption is by trying to parse the access.log of their SonarQube instances. A feature request exists to make this available in a structured way: A feature request can be tracked here: [FR-21] Help SQ Admins track SonarLint adoption - SonarSource
Q. When SonarLint is linked to SonarQube in connected mode, are new rules added in SonarQube automatically reflected in SonarLint? Or when we upgrade SonarQube we need to upgrade SonarLint too?
A. With connected mode, rules available in a new SonarQube version are automatically reflected in SonarLint (without the need to update SonarLint) for most languages. Notable exceptions are: C, C++, C# and VB.NET. In any case, we strongly advise to always keep SonarLint updated to the latest version, in order to benefit from the latest improvements and bug fixes.
Q. What about Security Hotspots? Can we get them raised in SonarLint too?
A. Since SonarQube 8.6 (rolling into 8.9 LTS), it is possible to open Security Hotspots from the SonarQube UI (where developers start their review of Security Hotspots) into the IDE for investigation within the context of the code. Still, the detection of Security Hotspots and the Review actions are only available in SonarQube for the time being. We’re considering extending this functionality directly in SonarLint in the future.
Q. When you repair a Security Hostpost, its possible to see in the IDE window that the repair is ok, without another analysis in SonarQube?
A. Security Hotspots are not always issues to be “fixed” — but highlighting parts of code that need to be reviewed (and have a disposition marked in SonarQube). If after review, you change the code to make it safe, it is up to you to mark the Hotspot as “Fixed”. Although we are considering bringing the Security Hotspots review functionality to SonarLint, for the time being you need to do that in SonarQube.
Q. From a features perspective, what should we look at when choosing between SonarQube and SonarCloud?
A. Using SonarCloud entirely removes the burden of hosting and managing the service. But there are some features SonarQube offers that aren’t available in SonarCloud, including reporting, and the ability to connect to your internally hosted systems, such as GitHub Enterprise and LDAP for authentication. You’ll find more details in this blog post we wrote on the topic a few years ago: https://blog.sonarsource.com/sq-sc_guidance
**Q. Where is SonarCloud hosted? **
A. SonarCloud is hosted in the EU. You can find more details here: https://sonarcloud.io/documentation/appendices/security/
Q. How long does it take before the benefits in a new SonarQube version show up in SonarCloud? Are there plans to add SonarQube’s Enterprise Edition features to SonarCloud?
A. Most new language analysis features first land on SonarCloud, and make their way to SonarQube in the next release. SonarQube and SonarCloud are two separate products with the same analysis engine — exact feature parity should not be expected.
Q. The term “SonarSourcer” was used. What does it mean?
A. A SonarSourcer is somebody who works for the company SonarSource, the company behind SonarQube, SonarLint, and SonarCloud. You can see our team here: Team | SonarSource
Q. What would be the recommendation for how best to learn using Sonar for QA testers and also for developers? I would like to be able to provide some sort of semi-structured materials or recommendations to the internal teams. What do you recommend?
A. The documentation (https://docs.sonarqube.org/) is an ideal place to start for developers to learn about using SonarQube, as well as our community of experts and users (https://community.sonarsource.com/) and our blog (https://blog.sonarsource.com/). That said easing user onboarding and education is in our product objectives for upcoming releases across our ecosystem.
Q. SonarQube is a great tool for developers to learn better coding and for cyber curriculum. Is it possible to provide a record of training for developers who have used SQ as a learning platform and indicated the specific learning achieved?
A. "In fact, developer education is in our product objectives for upcoming releases.
Q. We use SonarQube on numerous projects, some of which are very old and in quite a bad state. However they all seem to have a maintainability rating of A, even with Blocker Code Smells in some cases. This seems broken. Do you have plans to fix it?
A. In fact, the Maintainability rating works differently than the other ratings. It’s based on the ratio of the size of the project versus the technical debt (estimated effort to fix outstanding Code Smells). So yes, it’s quite possible to have an A Maintainability rating with Blocker Code Smells in the project. While we generally advise that you simply Clean as You Code (Clean as You Code | SonarQube Docs) if detection of Blocker issues is important, you may want to configure a Quality Gate condition specifically on that.
Q. Is it possible to use SonarQube for my private coding?
A. Of course. You can deploy SonarQube in any of the custom/private setup you’d like, and even carefully fine-tune permissions if needed. Our community forum https://community.sonarsource.com/ is a great place to exchange with experts if you need more guidance.
Q. Since plugins are coming bundled with SonarQube now, if my team wants to know the version of language supported by SonarQube 8.9, where can I find it?
A. In fact, language analyzers no longer have independent versions, as such. They’re all version 8.9. And you can always see the details of which languages are supported in our documentation for that version: Overview | SonarQube Docs
Q. How are you positioned in Gartner’s Magic Quadrant?
A. We do not have a systematic engagement in Gartner’s quadrant due to the sheer fact that we don’t really fit in one category per-se. Think for example of Quality and Security between two distinct categories from their point of view, while for us it’s a common experience for the developer to write better code.
Q. Can you also talk about any deprications/discontinuation that are happening with this version from an admin point of view so I can assess what changes are needed when going to the latest SonarQube version from 8.9 LTS."
A. Deprecations/Removals are noted in the Upgrade Notes, which is highly recommended (if not required) reading before performing an upgrade! Release Upgrade Notes | SonarQube Docs
Q. Do you have plans to improve the Sonar REST API? It has some limitations like: (a) It is not possible to get more than 10,000 Bugs/Vulnerabilities/Code Smells through the API, even using pagination. (b) It doesn’t follow REST best practices. I could mention much more…
A. In fact, in SonarQube 9.1 Enterprise Edition we added a dedicated web service to export all issues in a project - even if there are more than 10,000. More generally though, we built the Web APIs to feed the UI and published the interface in case it was helpful. So outside of the ongoing evolution of the UI/UX there are no general plans to update the API.
Q. Can we have seperate role for User management? Our security team has been asking for this for a long time.
A. We have some plans to improve administrative functions in the 9-series. It’s worth noting however that with delegated authentication, group membership can be managed outside of SonarQube.