Hi all,
Thank you to all who attended our webinar this week! Below you’ll find answers to the questions we received during the presentation:
Q: What types of issues or code smells can SonarCloud detect?
A: SonarCloud is capable of detecting not only code smells but bugs, vulnerabilities and hotspots as well. For a full list, see https://rules.sonarsource.com/
Q: Does Sonar support the latest es6 languages like react and vue js?
A: Yes, Sonar will analyze both React and Vue.js applications: Javascript Clean Code Programming Language
Q: What’s your view on Test Driven Development/TDD as part of Clean Code? what’s the Sonar view on TDD?
A: TDD is a great way to implementing new projects or features, and it works smoothlessly with Clean As You Code. Additional benefits of Sonar will be the rules targeting your test code.
Q: If I configured the Sonar into my Azure pipelines, does this guarantee that my code is 100% clean code? and this covers different programing languages like PHP, Java, C#, Python, CSS, HTML and JS?
A: Yes, Sonar does cover all those languages you mentioned. For a full list see https://rules.sonarsource.com/. Your code will not be 100% clean when you start but overtime, following our Clean as You Code methodology you can achieve clean code!
Q: Is there a way we can mandate these clean code policies into the pipelines?
A: Sure, SonarCloud and SonarQube will both allow you to enforce a Clean As You Code compliant Quality Gate in all your pipelines: CI integration overview
Q: What are the different products available for Java?
A: Java is one of our flagship languages here at Sonar so it is supported by all 3 of our products: SonarQube, SonarLint and SonarCloud!
Q: Any plans to release SonarLint SSMS plugin?
A: You can check the SonarLint roadmap and promote new features directly on our public roadmap portal here: https://portal.productboard.com/sonarsource/4-sonarlint/
Q: How will Code Coverage of Test work for Quality Gates that is for only new code?
A: Whilst we do have a recommended Clean as You Code compliant Quality Gate, it is possible to customize Quality Gates to look at test coverage for your overall code as well (not only new code).
Q: How can we bring 5 developers to use SonarQube and SonarLint so that we get CleanCode? We have about 8000 Compiler warnings. How to manage the warnings because they get to say everyday more?
A: You can consult entry points in the SonarCloud documentation: Clean As You Code | SonarCloud Docs and New Code Definition | SonarCloud Docs, and the recording will be available soon if you want to review it with your developer team.
Q: Would SonarQube detect issues for JavaScript frameworks too? ex: React ?
A: A vast majority of the JavaScript developers are using a framework, we support the most popular ones; and that includes React of course.
Q: How can you add a quality gate that is green when you start using Sonar with a 10+ year old project ? That seems to me like it’s unlikely to be green the first year, no?
A: The first analysis on any project always gets a green Quality Gate. The first analysis establishes the baseline for the New Code.
Q: How are the default “Quality Profiles” determined? Our team just accepts the default quality profiles and a reasonable target. Should we review quality profiles themselves? Or are the defaults actually quite reasonable?
A: The default Quality Profiles and Quality Gates are created by our engineers and product teams - who are also engineers. They have done a great job of researching and testing these rules in the wild. So we feel our Defaults are very appropriate to use. With that said, it is always a good idea as an engineer to trust but verify. So, please feel free to review our default and make changes. Also, we love and cherish all feedback - good or bad. If you have a question or want to discuss a rule more, please feel free to join our community and ask your questions.
Q: Can we analyze JSP codes in SonarQube community edition?
A: You can, and if anything does not work as expected, please raise your question with the Sonar Community: https://community.sonarsource.com/
Q: Can you please give the titles of the references you recommended please?
A: The New Kingmakers - https://thenewkingmakers.com/, and also Things You Should Never Do, Part I - https://www.joelonsoftware.com/2000/04/06/things-you-should-never-do-part-i/
Q: If we already use SonarLint, what is the purpose for SonarQube scanning? Does SonarLint cover all of the findings?
A: SonarLint is great as your first line of defense but because the focus is on speed and analysis-on-the-fly, it is not possible to detect more complicated vulnerabilities such as SQL injection especially if they span across multiple files.
Q: Can you recommend a coverage percentage for each coverage test?
A: The Default built-in Quality Gate mandates 80% on the New Code. This is a good starting point, for every language.
Q: Are there any plans of introducing WordPress quality profiles in SonarQube?
A: If you feel the default Quality Profile for PHP does not work well for your WordPress projects, don’t hesitate to raise the point with the Sonar Community: https://community.sonarsource.com/
Q: Will A.I. tooling/smarts be incorporated into Sonar to give enhanced recommendations or smarter problem detection?
A: This is a hot topic in the industry right now. We have an R&D team looking into this. Whilst we do see the value in AI-related tools, it is important to keep in mind not all issues can be picked up by AI.
Q: What if we make a part of the team dedicated to new features and another dedicated only to Clean Code?
A: The Clean as You Code methodology to reach the state of Clean Code is for every developer committing on the projects, and Sonar Solutions will automatically assign new issues to their ‘author’: Issues | SonarCloud Docs
Q: How can we handle a change of rules, e.g. going from v8 to v9 Sonar? We get spikes of errors due to new rules being checked.
A: Clean As You Code methodology is here to prevent this from happening!
Q: If SonarQube is on a private server, connected only via VPN, can we connect SonarLint to it?
A: Hi, if you have any access to the SonarQube UI from your laptop or desktop (through a VPN or not), you should be able to configure the SonarLint connected mode. Please raise your hand with the Community if you need some help: SonarLint - Sonar Community
Q: Is there auto-analysis for compiled languages? Or is it relying on build wrapping for many years?
A: Two things here:
1- Sonar build-wrapper is not the only way to analyze C/C++/Objective-C projects anymore, you have the compilation database option now.
2- Yes, the SonarCloud and the Sonar language teams are working hard to bring automatic analysis for every project and language: https://portal.productboard.com/sonarsource/1-sonarcloud/c/442-automatic-analysis-for-c-and-c-on-github
Q: How to enforce the linting (e.g. indentation) and get reported during the PR review process?
A: Sonar supports many linters out of the box: https://docs.sonarcloud.io/enriching/external-analyzer-reports/
Q: Can we add our company organization C standard rules in SonarLint?
A: No that is not possible, but feel free to promote the the feature on the SonarLint roadmap portal: https://portal.productboard.com/sonarsource/4-sonarlint
Q: How much performance related code review items covered by Sonar, any examples of such code review suggestions?
A: Sonar rules are tagged. You may take a look at the 'performance tag for the rules on your languages of interest. i.e. fro Java here: https://rules.sonarsource.com/java/tag/performance
Q: What are standards the SonarLint has? (e.g. Misra)
A: SonarLint implements an ever increasing subset of the Sonar rules. On each rule page on the https://rules.sonarsource.com/ site, you’ll have the support information.
As an example, the C++ rule S5302 (https://rules.sonarsource.com/cpp/tag/misra-c++2008/RSPEC-5302) is applied from all Sonar solutions.
Q: Using Sonarlint locally on a dev machine but connected to a shared company’s SonarQube, would it count as lines of code for total costs?
A: SonarLint is completely free to use. The lines of code are counted for the largest branch in each of your repos if you are on a commercial edition.
Q: Will SonarCloud and SonarCloud have connection to any AI chat to help clean faster the code with specific solution on the application? At this moment we receive example of what is the issue. A specific way cuts the time of cleaning to a faster pace.
A:Did you try SonarLint and the quick fixes directly in your IDE? Every detected defect is raised with extensive documentation about how to fix it. And Sonar may help with AI if we find it useful to remediation time.
Q: How can I use community edition of SonarQube in my swift project?
A: The Sonar Swift analyzer is not open source, you need a SonarQube subscription on SonarQube or SonarCloud to benefit from it.
Q: When will the Sonar-swift plugin will be available in the community edition of SonarQube?
A: The value of the free, Open Source, Community Edition is constantly increased, and we have no plan to make the Swift analyzer Open Source at the moment.
SonarQube Developer Edition includes Swift analysis and starts at $ 150 a year: Plans & Pricing
Q: Static analysis has high chance for false positive, what is your opinion about this?
A: This Sonar blog post about false positives might interested you, take a look: False positives are our enemies, but may still be your friends
Q: Can SonarCloud scan the code of all our repositories by itself, or do we have to integrate sonar-scanner in our build pipelines?
A: If you are on GitHub, you will benefit from SonarCloud Automatic Analysis: https://docs.sonarcloud.io/advanced-setup/automatic-analysis/
Q: If I have already set quality gates on SonarCloud and SonarQube, how can I connect the same to SonarLint plugin installed in my IDE?
A: Just setup the SonarLint connected mode,and SonarLint will align its Quality Profiles with your project’s one. SonarLint does not compute any Quality Gate status.
Q: How does Clean Code ensure that the code will not get rot as it scale?
A: Unmaintained projects and sources will eventually ‘rot’ after a while. Alive projects and code bases won’t, thanks to Clean As You Code
Q: On which basis do rules move to deprecated rules?
A: Code analysis and coding standards evolve over time, so are Sonar rules.
If the rule description does not describe why it got deprecated, feel free to raise your question on the SonarSource community: https://community.sonarsource.com/
Q: Will the SonarQube Community edition be sufficient for code analysis?
A: Sonar is a strong community first company so the community edition is very powerful for code analysis. However, our commercial editions provide even more in depth analysis for injection vulnerabilities and also support additional languages like C/C++. Take a look here for more info.
Q: When establishing what our quality gate(s) should be, what are some of the main things we should consider? (i.e. programmatic, technical, application related)
A: The Default built-in Quality Gate is 100% Clean As You Code compliant, and targets all the indicators of Clean Code.
Q: When talking about New Code, ahat about vulnerabilites in that last 40% of code, do thay have to be addressed?
A: We believe the new ones, in the New Code, are always more important than the ones that are already part of the production code (and passed all your other Security tests).
This said, all teams should be able to raise the bar at some point, and targeting vulnerabilities in all the code is a standard evolution for Quality Gates.
Q: If we connect SonarLint to Sonar server, (on premises or on cloud), would the result of SonarLint be same as of Sonar server or would there be some difference?
A: SonarLint is your first line of defence against bad code, but we did not find a way (yet) to have it raise in your IDE always the same issues as SonarQube or SonarCloud.
SonarQube or SonarCloud should remain your source of truth regarding static code analysis results.
Q: How to convince people who aim to write performant code instead of clean code?
A: Non performant code cannot be clean; as explained by Peter in the Webinar, ‘clean’ should encompass all your code standards