[Webinar] APJ + North America - Code Faster, Write Cleaner using AI Coding Assistants and Sonar

Clean Code Sonar Updates
,
1

Hi all,

With AI being such a hot topic, and our community asking for additional webinars, we will host additional sessions of the “Code Faster, Write Cleaner using AI Coding Assistants and Sonar” webinar.

Manish Kapur will reprise his presenter role, and talk to you about AI-assisted coding, give best practices for integrating AI coding assistants into development workflows, and give practical advice to nurture a culture of Clean Code.

Take advantage of these two webinars to ask your questions and attend a live demo given by our Solution Engineers!

Title: Code Faster, Write Cleaner using AI Coding Assistants and Sonar
Speaker: Manish Kapur

Date and time:

  • APJ & EMEA: Tuesday, April 23rd - 9 am CEST / 3 pm SGT - Register now!
  • North America & EMEA: Thursday, April 25th - 10 am CDT / 5 pm CEST - Register now!

Code Faster, Write Cleaner using AI Coding Assitants and Sonar
Code Faster, Write Cleaner using AI Coding Assitants and Sonar695×361 139 KB

You can also find all the questions that were asked during the first webinar we hosted on March 20th under this Community post.

Interested in the topic, but unable to join the live session?
Register using the above-mentioned links, and receive a recording of the webinar!

2

Hello everyone!

Thanks to all who attended our session today for APJ and EMEA! Find below the questions that were asked during our webinar:

Q: Does SonarLint extension support Kotlin and Swift languages?
A: It depends on the IDEs that is being used, and whether the connected mode is used or not. Support for Kotlin is available for IntelliJ IDEA. When IntelliJ IDEA is used in connected mode, then support for Swift is also available.

Q: When it comes to your investments in AI, should we be looking more at SonarCloud or SonarQube going forward?
A: At the moment, just as with support for programming languages, SonarQube and SonarCloud offer almost the same set of features. There is no plan to only offer AI for one product and not the other.

Q: Does Sonar have plans to introduce an AI assistant for code review?
A: There are discussions around that topic, to provide better contextual AI-driven suggestions around code fixes. However, it is too early to share a roadmap.

Q: Are you using AI in SonarQube, to reduce false positives for instance?
A: AI is currently not being used in any of our products.

Q: Does SonarQube help with memory-safe related vulnerabilities related to memory access ?
A: It certainly does. See for example this rule for C++.

Q: Can we connect SonarCloud to IDEs the same way we do for SonarQube?
A: Yes, is it the same process. Connected mode is available regardless of which solution you are using (SonarQube or SonarCloud)

Q: Is Azure Bicep supported by Sonarlint/Sonarcloud?
A: Yes, support is available in SonarCloud. For SonarLint, only the SonarLint VSCode supports Azure Resource Manager and Bicep at the moment

Q: Is Pull Request scan a feature available in the Community Edition of SonarQube?
A: No it is not, you need SonarQube Developer Edition for pull request support.

Q: How can AI code generation tools read other internal repos and code to suggest new code?
A: [Joshua Q.] That’s a great question - you would need to look for an AI code generation tool that can do cross-repo code generation. I do believe that there are such tools out there. There is a project called AutoDev that literally is a full AI developer. This is not related to Sonar, but you can check it out.

Q: Is SonarQube the same as SonarCloud, but hosted differently?
A: SonarQube = Self-managed, able also to work in an air-gapped environment with no internet connection.

SonarCloud = Software as a Service (SaaS), hosted on the cloud and fully managed by Sonar.

You can go to our website to consider the different features available on each.

Q: Does one’s code need to be put on SonarCloud to be reviewed?
A: That is correct. A copy of the code is hosted on the SonarCloud infrastructure, hosted in Germany on AWS. Code needs to be hosted in order to be reviewed, and for the issues to be shown.

Q: Is there a comparison of what languages are supported in SonarQube and SonarCloud? For instance, Dart and Flutter
A: Flutter is not yet supported by SonarQube at the moment, but support for it, and for Dart, is expected to be released later this year. You can also check out our languages page here.

Q: Do you know if CoPilott also works with the PHP language and with the PhpStorm programming tool?
A: SonarLint supports PHP, and PhpStorm. That being said, as Copilot has been trained on many programming languages, it is very likely to support PHP. For support of PhpStorm, please review the official Copilot website.

1 Like
3

Hello everyone!

Thanks to all who attended our session today for North America and EMEA! Find below the questions that were asked during our webinar:

Q: Is Sonarlint okay to use when working with confidential data/code?
A: Yes, SonarLint would work even in air gapped environment (without WAN or LAN access). It uses some telemetry, which can be disabled. The same can be said of SonarQube.

Q: Does Sonar Lint send any code to Sonar servers?
A: It can run standalone, connect to your private SonarQube server, or connect to a SonarCloud account. Both SonarLint and SonarQube run in environments you control and do not send any of your code to Sonar for analysis. You run the Sonar analyzers in your environment to analyze your code all managed by you.

Q: How frequently ruleset for IaC scanning is updated? What is the size of the rule set for terraform IaC, is it part of SonarQube?
A: It depends, I would say they are updated every quarter. The ruleset for Terraform can be reviewed here: SonarQube. If you have ideas or suggestions, feel free to reach out to our Community!

Q: GitHub copilot is free to use?
A: No, GitHub Copilot is currently $10/mo for personal use.

Q: Has an AI tool been used to generate a state diagram versus directly coding a solution?
A: It seems possible to use Gen AI to generate code describing a UML diagram, like mermaid for markdown.

Q: Are there pre-built quality profiles out of the box or do you have to define your custom ones?
A: We provide our recommended quality profile for best practices out of the box called the “Sonar way”. More information is available here (on our default built-in quality profiles and how to define custom ones): Quality profiles

Q: Can your solution be installed on an internal organizational intranet i.e no connection to the internet? Our code is controlled for security reasons.
A: Yes it can, and it is a common use case for many security-sensitive industries (finance; defense) using our solutions.

Q: Couldn’t be SonarLint an automatic step after the generation of the code? So you don’t need to check all typical errors manually.
A: On-the-fly analysis is available on certain IDEs for SonarLint. So if the generated code is directly injected into a file, SonarLint will review it automatically.

Q: Is SonarLint useable if you use Resharper?
A: It is possible to define the set of rules that are used by SonarLint so that it would not overlap with those of Resharper.

Q: If we install SonarLint is it enough to use AI features?
A: SonarLint is not a Gen AI tool but can be used to check whether generated code meets quality and security standards.

Q: SonarQube doesn’t get you the GenAI features, does it?
A: No, but scanning code with SonarQube is recommended anytime you use AI code generation tools. It helps make the use of Gen AI safer.

Q: Can I connect SonarLint with SonarCloud? Or is this functionality only in SonarQube?
A: Yes Sonarlint is compatible with SonarCloud as well as SonarQube

Q: When SonarLint is installed on Visual Studio, how can we see the CoPilot window?
A: SonarLint is independently developed, and can work without GitHub Copilot (Installation - Visual Studio). To install Copilot, you can browse the Visual Studio marketplace.

Q: Can SonarCloud be used with private GitLab repositories for free - for educational purposes?
A: On a case-to-case basis, we may consider giving away some keys or licenses to use (either for open-source projects or educational institutions). I would suggest you to contact us and describe your need: Contact | Sonar SonarSource

Q: Can this also help with compliance challenges (reporting on usage of GenAI for coding)? About controls for SOC 2 Type II and ISO 27001. Auditors are looking for some reporting on usage of GenAI in code.
A: The use of code quality and security tools in general might help with gaining access and/or maintaining access to ISO 27001 and SOC 2 Type II.

Q: What’s the process to add new rules in a customized quality profile, is it possible in Community Edition?
A: Yes, it is possible, even on the Community Edition, please review the documentation Quality profiles

Q: Did you try to estimate the improvements of productivity/velocity w.r.t. some metrics?
If so, which metrics did you use? What are your results?
A: In order to illustrate the benefits of correcting issues as early as possible in the software development lifecycle, we don’t measure metrics ourselves, but instead we rely on some known studies and research, such as this one.