Hi all,
Thank you to all who attended our webinar this week! Below you’ll find answers to the questions we received during the presentation:
Q: Does SonarQube support the latest version of Python?
A: Yes, Python 3.11 is supported from SonarQube > 9.8
Q: Can SonarQube find Security issues related to not sanitized user input?
A: Yes, there are a number of Security rules focused around injection: https://rules.sonarsource.com/python/tag/injection
Q: Is there a command line tool to execute SonarLint?
A: SonarLint integrates with your IDE, it is not executed via a command line. However it is possible to run analysis from the command line with SonarScanner CLI that will import its findings to the SonarQube platform.
Q: What is the impact on the quality of the python code scan when we have the message
"Your code is analyzed as compatible with python 2 and 3 by default. This will prevent the detection of issues specific to python 2 or python 3. You can get a more precise analysis by setting a python version in your configuration via the parameter “sonar.python.version”
Did you measure a real difference after applying this modification?
A: Some of the python rules target specific python versions. Specifying the python version will help activate them on your source code.
Q: Is there a way to integrate Sonalint to CI/CD?
A: SonarLint is integrated into the most popular IDEs and is not designed to integrate into your CI/CD pipeline. SonarQube or SonarCloud are designed to integrate into your pipelines including Jenkins, Github, Azure DevOps, BitBucket, and Gitlab.
Q: Does SonarLint work with types? For example if we define it to be an iterable, would it convert items=[] to items=() instead of items=None?
A: SonarLint python rules do work with types. For example in python:S3862 the rule is triggered when a non-iterable object is used for iterable unpacking. It recognizes the Sequence types in this scenario such as list, str, tuple.
Q: Is there a command line to manually execute sonar-line like black/flake/pylint/ruff ? This is useful for pre-commit hooks or scripting for example.
A: Yes, you can analyze your code with SonarQube/SonarCloud by executing command line SonarScanner on your code. You will then consult the findings in SonarQube/SonarCloud.
Q: Do you have any guidelines on how to keep balance between code readability / maintainability / “cleanness” and its performance?
A: The Clean Code is designed to achieve clean increments of code with the least amount of friction in the development process.
Q: Can one person’s clean code look incomprehensible to another?
A: Clean code as we define it will have a low technical debt and will be perceved as such for most of developers. One of the benefits of using the Clean as You Code methodology within SonarQube is that each developer is responsible for their own code, not anyone else’s. If you add new issues SonarQube automatically assigns them to you so you can maintain the quality of your own code.
Q: Can SonarScanner return the results locally without connecting to SonarQube/SonarCloud ?
A: No, the SonarScanner needs to upload the results to SonarQube/SonarCloud to have the results analyzed by the Compute Engine. However, SonarLint is able to return results immediately in your IDE.
Q: While using ruff/pylama we see linters having issues with multiple decorators on one function. Does sonarlint handle these decorators well?
A: This is quite specific. I would suggest running a test on the specific code snippet. You may also provide the snippet on our community forum: community.sonarsource.com/
Q: Are there rules in SonarLint that are not available when SonatLint binds to SonarQube?
A: This might be the case for some advanced Security rules, but the rules presented during this session should be available in your SonarLint.
Q: Do you have a similar talk for Java and Sonar maven plugin?
A: Thank you for your suggestion! We don’t have one scheduled for Java and corresponding SonarScanners at the moment. Meanwhile be sure to check out our webinar page for more details of upcoming events, and visit our Community : Topics tagged webinar
Q: Is SonarLint supposed to identify functions with duplicate logic but function names and variable names changed?
A: Finding duplications requires the scanner to analyze the entire project (including sibling modules). This is currently outside the scope of SonarLint. SonarQube/SonarCloud do have a CPD engine (Copy/Paste Detection) to detect duplicated code in the form of ‘tokens’. Differences in indentation and in string literals are ignored while detecting duplications.
Q: What makes a good linter good besides how many code smells it is able to detect and fix for you? Is SonarLint the only linter able to integrate with SonarCloud, or does this also work with Pylint, Black, etc?
A: SonarLint can work either in standalone or in connected node with SonarQube/SonarCloud
Q: What exactly is being uploaded to SonarQube/SonarCloud? Can it cause IP concerns?
A: SonarQube is usually hosted on premises under the organization’s control so any code or code metadata stored in it stays with the organization.
Q: Are all the checks offered by PyLint, flake8, etc included in SonarLint?
A: The majority of checks included in these linters are available through SonarLint. You can view the rules at: https://rules.sonarsource.com/python. That said it is possible to import issues raised from 3rd party analyzers on your SonarQube platform (e.g. pylint): https://docs.sonarqube.org/latest/analyzing-source-code/importing-external-issues/importing-third-party-issues/
Q : Will SonarQube eventually have a CLI similar to Ruff or Black ?
A: SonarQube analysis can be triggered with SonarScanner CLI from the command line. The analysis will run on the machine where the analysis was run, the analysis results will be imported to SonarQube platform where they can be consulted via a rich UI.
Q: Is in your scope the improvement of the Jira integration?
A: Adding Jira integration is not on our Roadmap. SonarQube/SonarCloud are products that help developers write Clean Code by focusing on keeping any New code that enters the codebase clean. Over time this approach will clean older code through refactoring rather than assigning Legacy issues to JIra tickets.
Q: Does SonarLint replace or complement Black/PyLint?
A: We believe that SonarLint can replace PyLint because it has reached a level of maturity with a broad spectrum of rules with less false-positives. SonarQube still offers the ability to import Pylint reports, see: https://docs.sonarqube.org/9.9/analyzing-source-code/importing-external-issues/importing-third-party-issues/.