Hello all!
Thank you to everyone who attended our first webinar optimized for APAC time zones! You’ll find below the transcript of questions that were asked during the session:
Q: Can SonarQube scan OWASP Top 10 API Security Risks ?
A: Yes SonarQube picks up issues that are OWASP Top 10 related - in our Enterprise Edition we do even provide Reports where you can see it in a report view under a “Security Reports” tab.
Q: Would it be possible to have examples with JavaScript and TypeScript, like the ones given during the session about PHP and Python?
A: PHP and Python were just examples of how useful Sonar can be to learn as a developer. The value of Sonar rules documentation, and in-context education, is exactly the same for Javascript/Typescript.
By the way, the cognitive complexity rule is provided for all the language we support (where it makes sense of course): JavaScript static code analysis: Cognitive Complexity of functions should not be too high
Feel free to explore Sonar rules and their documentation: https://rules.sonarsource.com
Q: We recently started using SonarQube for one of our old projects and found a lot of issues; from where can we start to fix them? There will be different categories of issues, and fixing all the issues will take time.
A: The answer to this common challenge is Sonar Clean As You Code Clean Code: The Essential Approach.
We frequently have Webinar touching on this topic, you may check the ones we’ve had in the past, and stay tuned for the next one: Tech Webinars for Developers | Sonar
Q: Is SonarLint considered as a replacement for ReSharper?
A: As highlighted in today’s session, SonarLint proposes rich and, we believe, unique Learning content to developers.Deep Education | Learn as You Code with SonarLint
All the Connected Mode features should also be a clear differentiator for all teams on SonarQube for their projects Connected Mode to SonarQube Linting analysis | How to set up
You should try it and let us know what you think on the Sonar Community forum!
Q: Can we improve the true positive finding with SAST, with a SonarQube Community Edition? I try to scan a benchmark project in Java, but some issues were not detected.
A: You should request an evaluation key for a commercial edition of SonarQube, or try this analysis on SonarCloud (for free). The Community Edition does not benefit from Sonar taint analysis, which is needed for good results on the benchmark. Plans & Pricing
Q: Is there a roadmap for SonarQube and other supporting technologies to integrate AI to help developers code better and faster?
A: We’re having a close look at how AI could benefit us for sure. As we see it, AI can make developers faster; whether it makes them better remains to be proved. AI tends to generate content without a true understanding of what the content is about, and it will therefore make mistakes and reproduce common errors. You’ll definitely want to analyze all the AI-generated code to make sure it’s clean!
