Hey all,
Thanks a lot to all who joined our session with Blazor yesterday, and thanks again to Daniel Roth for joining us during this event!
You can now find below the questions that have been asked during the webinar:
Q: What is the difference between SonarQube and SonarCloud?
A: SonarQube runs on-premise while SonarCloud is available online, allowing the users to analyze their projects without spending effort maintaining their infrastructure.
Q: How does what you demoed during the presentation look like with Blazor WebAssembly?
A: You can use interactive WebAssembly components with a Blazor Web App too. When creating the Blazor Web App project there’s an option to enable interactive WebAssembly rendering, which will set up a separate Client project that will run on WebAssembly. You can optionally set up the entire app to run on WebAssembly if you’d like. There’s also a separate Blazor WebAssembly Standalone App template if you want a Blazor WebAssembly app that will be hosted as a static site.
Q: Does SonarQube Developer edition automatically recognize Blazor projects too or do we have to enable something specifically? And what version of the Dev edition do we need for this?
A: No configuration is needed. Blazor analysis will happen automatically on any edition of SonarQube and SonarCloud.
Q: What are the pricing for the different Sonar tools you presented?
A: SonarQube Community is open source and free to use for everyone.
SonarCloud is free for open-source.
SonarLint is open-source and free to use in multiple IDEs.
Q: How frequently do you update or check the plugins that are used for analysis?
A: On the dotnet side, we regularly do two-week sprints that end up with a release. These releases are made available on SonarCloud in a matter of days. SonarQube and SonarLint will embed the updates in the upcoming release.
Q: On a previous question you answered that SonarCloud gets 2 weekly releases with updated analysis plugins. How often does this happen for the SonarQube Developer edition?
A: SonarQube releases come out roughly every 2 months
Q: Is there a troubleshooting doc on SonarLint for Visual Studio, or is SonarLint considered an ongoing development with regards to the VS extension?
A: SonarLint for Visual Studio is an actively developed project - and it’s open source - check it here. GitHub - SonarSource/sonarlint-visualstudio: SonarLint extension for VisualStudio
If you have some specific problems for which you need troubleshooting help, please open a question on our community forum https://community.sonarsource.com/
We have a guides section on the community forum (Guides - Sonar Community) - if you participate in the community forum, you can suggest creating one for SonarLint for Visual Studio.
Q: Is there a method to perform DAST for mobile applications?
A: Our products are focused on static code analysis. Presently we do not offer a solution for DAST.
Q: What is the name of the Git study related to Clean Code you mentioned during the presentation?
A: The Blazor project that was analyzed earlier was MudBlazor, a popular open-source Blazor component library: https://mudblazor.com.
Git of Theseus did the study we mentioned when talking about Clean as You Code: https://github.com/erikbern/git-of-theseus
Q: Will SonarQube Enterprise receive a feature allowing it to scan all repositories/projects within Bitbucket without the need to individually link each repository? If so, what are the timelines?
A: We do not have specific plans for any changes yet, although the request is reasonable.
Q: Will SonarQube allow for package vulnerability scanning, including periodically scanning repositories and alerts when package vulnerabilities are identified?
A: There are internal discussions about this topic. At the current moment, this is not part of our roadmap.
Q: What are the differences between the SAST test in developer and enterprise editions; are they the same or different?
A: Please see https://www.sonarsource.com/plans-and-pricing/ for a comparison between developer and enterprise editions. From the analysis point of view, the enterprise edition adds support for more languages; other than that, the results are the same.
Q: What about SAST and DAST? can we perform with other languages?
A: SonarQube and SonarCloud support static code analysis and SAST for over 30 programming languages and frameworks. We focus on code analysis to find code quality and security issues. Clean Code Programming Languages.
For SAST, also check - https://www.sonarsource.com/solutions/security/.
Q: Will what you showed work with other frameworks even on other modern frontend frameworks, like Angular and React?
A: We support the analysis of JS / TS projects with SonarLint, SonarQube, and SonarCloud. We have rules specific to libraries such as react. You can check the full list of rules at JavaScript static code analysis and TypeScript static code analysis
