Hi all!
Thanks a lot to everyone who attended our webinar! You will find below the Q&A content from our session:
Q: Can you explain the difference between SonarCloud and SonarQube please?
A: SonarQube and SonarCloud both offer similar capabilities when it comes to static analysis of different languages and educational values provied by the coding rules. SonarQube is usually installed and administered on-prem. SonarCloud is a cloud SaaS offering.
You can also review our blog on the differences: https://www.sonarsource.com/blog/sq-sc_guidance .
SonarCloud is the SaaS (aka cloud) version of SonarQube (for at least most of the features).
Q: Are there any big differences between SonarLint and Eslint?
A: SonarLint provides live feedback inside a number of IDEs (Visual Studio, Visual Studio Code, Eclipse, IntelliJ) for most of the supported languages either in standalone or connected mode (where it synchronizes rules with SonarCloud and SonarQube). ESLint focuses primarily on JavaScript and Typescript.
Q: Is Sonar team planning on adding more rules for Kotlin?
A: Yes, we plan to add more Kotlin rules. Recently, we’ve updated Kotlin idiomatic code for Java devs: 9 rules to help Java developers writing Kotlin idiomatic code
If you want to add your suggestions or peer into our feature roadmap, see here:
SonarQube: https://portal.productboard.com/sonarsource/3-sonarqube
SonarCloud: https://portal.productboard.com/sonarsource/1-sonarcloud/
SonarLint: https://portal.productboard.com/sonarsource/4-sonarlint
Also, one big thing, we recently supported scanning of Gradle Kotlin DSL! https://portal.productboard.com/sonarsource/3-sonarqube/c/436-gradle-kotlin-dsl-support
Q: Does SonarCloud work only with SonarLint, or also other linters? Or is it checking as part of CI?
A: Both SonarLint and SonarCloud embed native rules created by Sonar. SonarLint integrates with IDEs to provide live feedback on the produced code. It can synchronize with SonarCloud to use the same set of rules. SonarCloud analysis can be incorporated as a part of CI pipeline.
Q: How can I integrate and use Clang tooling?
A: If you are interested in scanning C/C++/Objective-C code, then you will either need the “build-wrapper” around your compilation command or the use of a compilation database. Please see C/C++/Objective-C.
For more info, please go to https://community.sonarsource.com/
Q: Do we have the Clean Code principles shown only on SonarCloud or is it available on SonarQube too?
A: Both SonarCloud and SonarQube are built to leverage Clean Code.
Q: Does it make any sense to use Eslint together with SonarLint?
A: Yes and no. SonarJS already combines several of the rules of ESLint as part of the language analyzer. SonarJS is open-source so take a look: https://github.com/SonarSource/SonarJS
If you want more details from an ESLint report integrated into the Sonar analysis results, you can import the results as a generic issues report. See https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/languages/javascript-typescript-css/#custom-rules-for-jsts[.](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/languages/javascript-typescript-css/#custom-rules-for-jsts.)
Q: When SonarQube community edition will be available for Swift language?
A: There are no immediate plans to make it available for Community Edition. If you want to scan Swift code freely, you can scan your open-source project on SonarCloud now.
If you want to suggest such an addition to SonarQube Community Edition, please submit a feature request to let our PM team know: https://portal.productboard.com/sonarsource/3-sonarqube (this also shows our feature roadmap).
Q: Is SonarLint 100% local? Or does it send any data to a server?
A: SonarLint can work standalone and in the connected mode when it synchronizes with SonarQube and SonarLint.
Q: Is it possible to migrate from SonarQube Community Edition to Enterprise Edition without losing historical data?
A: Yes, it is possible to seamlessly move from a Community to a commercial edition.
Q: Can you please advise if Sonar can detect hard-coded secrets or keys?
A: Yes, SonarQube and SonarCloud can already detect secrets and keys for at least the 5 major cloud providers (AWS, GCP, Azure, IBM, Alibaba). See https://rules.sonarsource.com/secrets/.
Soon we will be able to scan more than 100+ secrets and tokens in an upcoming release of SonarQube: https://portal.productboard.com/sonarsource/3-sonarqube/c/420-rules-to-detect-100-app-secrets-tokens. Same for SonarCloud: https://portal.productboard.com/sonarsource/1-sonarcloud/c/420-rules-to-detect-100-app-secrets-tokens.
Q: Can Sonar help out with validating user input, or suggest improvements?
A: There is a number of Security rules in the commercial editions of SonarQube that focus on detecting unsanitized input and possible injections.
Q: Do you support Dart language?
A: Not just yet, but you can see this future feature request on our roadmap: https://portal.productboard.com/sonarsource/3-sonarqube/c/123-dart-flutter-support