Hi all,
Thank you to everyone who attended our webinar yesterday! You’ll find below all the questions and answers that were given during the webinar:
Q: Do SonarQube and SonarCloud have feature parity with regard to PR decoration?
A: Yes, both support GitHub, GitLab, Azure DevOps, and BitBucket with PR/MR decoration. However, it’s worth noting that SonarCloud only supports the SaaS versions of those platforms. SonarQube supports both cloud and self-managed versions.
Q: When working with an existing codebase, would SonarQube analyze the entire file or just the updated lines?
A: It depends on the context. For PRs, only the changed files are analyzed. For branches, the full project is analyzed.
Q: Can PRs be decorated with Code Coverage?
A: The overall coverage percentage is included in the PR analysis results posted to your DevOps platform. However, if you’re looking for line-by-line coverage data, you’ll need to reference the PR analysis in SonarQube or SonarCloud.
Q: My organization uses both SonarLint and SonarQube, I commonly get the complaint that the code was clean in SonarLint, but then SonarQube raises additional issues once the pull request is completed. What’s going on here?
A: To some extent, this may be normal. Not all rules are run in SonarLint - some rules would slow down the IDE unacceptably. To dig further into this, please visit us in the community https://community.sonarsource.com
Q: How does SonarQube licensing work? Does it count all lines or just the new ones added after you start using it?
A: SonarQube is licensed by analyzed lines of code. License usage is based on the LOC in the largest branch or PR
Q: Will Sonar work with our self-hosted GitLab?
A: SonarQube will. SonarCloud will not. For more, see the docs
Q: We follow Clean as You Code organizationally. In that context, an issue we come across is our coverage numbers taking a hit when a line of code is modified. For example, when a variable is renamed or the formatting changes. Is there a way to break out “new” vs. “modified”?
A: All added and edited code is considered “new” for Clean as You Code purposes. Broad but shallow changes such as whitespace corrections can be painful in this context and are a good example of the rare case when you might want to give yourself a pass on strict adherence.
Q: Can SonarQube anlayze .NET core?
A: Yes, absolutely! You can analyze .NET on either SonarCloud or SonarQube. You’ll want to use the SonarScanner for .NET to get started.
Q: Can SonarQube analyze JSON?
A: Sorry, we don’t have any rules for JSON.
Q: How do we get SonarCloud to ignore 'TODO’s?
A: You can either mark the individual issues “Won’t Fix” or remove the rule from your profile.
Q: Can code be analyzed with multiple default profiles?
A: The default profile for each language in a project is automatically applied during analysis.
Q: How can I run SonarLint in a terminal?
A: SonarLint is an IDE plugin. It’s not possible to run it standalone.
Q: We’d like to use different Quality Profiles for feature branches than for the same branch. How do we configure that?
A: The same profile is used for all analyses of a project, both branches and pull requets. We feel it’s important to apply the same consistent standard throughout. Why would you not want the same level of strictness applied consistently?
Q: Can SonarQube detect bad architecture issues?
A: That’s an area we’re actively working on. We’ve already delivered 3 rules for Java with more in the works.
Q: Can you control which version of a language is applied in analysis? For instance, can analysis only apply rules for Java 8 and not the latest version?
A: Sure! You can target language versions for many of the languages we analyze; just check the docs for the right analysis parameter to use. For Java, it’s sonar.java.source
Q: How often are new rules added to the default Quality Profile?
A: It varies by language, but for flagship languages, you’ll see new rules every few weeks on SonarCloud and in each release for SonarQube.
Q: Are there plans to add SonarCloud support for Active Directory?
A: SonarCloud integrates with other cloud providers. If you need Active Directory integration, you should consider using SonarQube.
Q: Is SonarQube a code quality tool or a security tool?
A: Sonar tools are Clean Code tools. That encompasses both quality and security, as well as maintainability, reliability, accessibility, and so on.
Q: Are there plans for extending the set of supported languages?
A: We’re hoping to add support for Flutter / Dart soon. Beyond that, we don’t currently have clear plans.
