Hello everyone,
Thank you to all who attended our session today! You can find below the questions that have been asked during the webinar:
Q: If new vulnerabilities emerge in the market, how can we add a rule to scan these vulnerabilities in a custom quality profile in SonarQube as well as SonarCloud?
A: We always try to be up to date with known vulnerabilities, and we frequently release new versions of our products. But if you would like to implement your own rules to tackle some uncovered vulnerabilities you could do that with a custom plugin, that you could then add to your local SQ instance (not available for SonarCloud). Here you can find more information on custom plugins.
You can always report a new vulnerability that we do not cover on our community forum, and we could eventually implement support for it.
Q: What is the url for the list of rules per language?
A: You can find all the rules, divided by language, here.
Q: What are some key strategies and best practices for ensuring good code quality?
A: With our Clean as You Code approach we help developers improve their code quality while they go through their daily development. Our set of rules for the different languages enhances the developer experience, suggesting how their code could be improved, while also providing knowledge and useful insights on why an issue was found and how it can be fixed.
We believe this is the best approach for a codebase to reach the state of Clean Code, that is, code whose attributes make your software reliable, secure, and maintainable.
Q: We would like to use java records. But when we use records with arrays then we have to implement hash and equals methods. But the records are not compared with equals so we end up adding unused code. Any tips?
A: Thank you for the question. It would be easier to diagnose by seeing a sample of the code as well as the specific rule that is triggering the issue. If you think you found a False Positive reported by Sonar, please let us know on our community forum!
There you can find a lot of solutions to different problems users may face, and if you don’t find an answer to your issue, you can report it, and we will try to fix it!
Q: How efficient are Sonar services for Python projects? Does it support Sonar suggestions while we code in the PyCharm editor?
A: SonarQube has support for Python, as well as SonarLint. Yes, SonarLint highlights issues in your code and thus when you open the rule related to the Issue, it then gives you a suggested approach on how you fix that issue. Remember also to run SonarLint in connected mode and bind the Python project you have on SonarQube together with the project you have locally on your IDE and it will allow you to sync the quality profile (set of rules) associated with that project.
Since Taint Analysis-based issues are only detected after a Sonarscanner analysis is done and then reported on SonarQube itself, running SonarLint and SonarQube in connected mode also allows you to sync these Taint analysis Issues detected to your code on your IDE, and you will be able to then view these issues on your IDE via SonarLint.
