If you couldn’t make it to our live webinar, you can still watch it on-demand by clicking here!
Q. Do you provide commad line utilities to analyze our code locally which is written in an IDE not supported by SonarQube?
A. Command-line utilities exist (our “scanners”), and always require submitting the analysis results to SonarQube/SonarCloud for processing. We think this is important because the UI offers necessary context (for example: what code is old/new) that can be shared across a team. We’d love to know from you what IDE you’re using that SonarLint doesn’t support in our Community (Product Manager for a Day - Sonar Community).
Q. We use a web front-end builder which requires JS code in provided inside specific HTML tags. This confuses the Sonar code scanner. Is there an easy way to put code through a pipeline to strip out these tags before analysis?
A. We hope you don’t have to process your code to be scanned by Sonar. I’d encourage you to raise a topic in this community that shows the kind of code that confuses the scanner, and what error/unexpected behavior you receive.
Q. Do you support infrastructure as code?
A. Sonar supports Terraform, CloudFormation, and Kubernetes.
Q. Does Sonar integrates to AWS CodeCommit / AWS Pipeline?
A. No official integration with AWS CodeCommit at the moment, that said you can use SonarCloud with any SCM, you will just need an account on Github, GitLab, Bitbucket or Azure DevOps to login and then you can setup your projects manually using any ALM or CI. But you won’t benefit from any ALM integration features like PR decoration or easy import of project. AWS themselves have published a blog regarding integration..
Q. Can Sonar scan Oracle forms?
A. Sonar supports the analysis of PL/SQL!
Q. What are the limitations of the free version of SonarQube for NodeJs based Project?
Q. Can we have a tutorial of how to configure quality gate in existing code?
A. When configuring a new or existing Quality Gate, you can choose whether your conditions apply to New Code or Overall Code – It’s that simple!
Q. Can SonarQube be integrated to Azure cloud deployments using Jenkins ? Also, is it open source or a paid feature?
A. Jenkins (Pipeline) + Azure DevOps (SCM) is a supported configuration, and we reccomend (insist, rather) that you use the SonarScanner for Jenkins plugin. You can learn more about our Plans & Pricing as well our open-source (free) solutions.
Q. Do you recommend SonarQube for automation testing team?
A. Sonar is built by developers, for developers. Is your test automation team writing code in one of Sonar’s supported languages? Then it absolutely can benefit your team. Sonar also imports test coverage results – So the work of an automation testing team that produces test coverage reports can be imported into Sonar to track these metrics over time (or prevent releases if there’s not enough test coverage).
Q. What is the advantage of SonarLint over the Sonar analyzer nuget?
A. SonarLint provides the ability to get some immediate feedback right in your IDE as you type, Quick Fixes, and the ability to connect to SonarQube/SonarCloud to sync your configuration. More here.
Q. Can you explain a bit about SonarQube connected Visual Studio plugin?
A. Click here to learn more about SonarLint for Visual Studio
Q. With the evolution of linting (particularly for es6/typescript), which will often even fix your broken code automatically, how does Sonar compare? Or, how does it work in conjunction with linting?
A. SonarLint offers Quick Fixes for many languages/rules, with more being delivered with each release, and results of linting tools can also be imported to SonarQube/SonarCloud by importing external issues.
Q. Will SonarLint give me exactly the same amount of findings as SonarQube, or are there any differences?
A. There can be some differences, which you can learn about here: Frequently asked questions.
Q. Do you support ansible YML, Lambda and Groovy scripts as well?
Q. What is the difference between SonarQube and SonarCloud?
A. SonarQube is self-hosted, while SonarCloud is Sonar’s SaaS offering. Both share the same core analysis engine, but have features that fit different use-cases (SonarCloud focuses on integrations with managed DevOps Platforms, while SonarQube fits use-cases of larger enterprises, like reporting).
Q. What is the difference between SonarQube and Sonar Scanner?
A. SonarQube (and SonarCloud) are Web Applications where reports from the SonarScanner are submitted for processing, and where teams can view analysis results.
Q. Also are you able to track bad practices that are related to development such as too many branches, too many microservices…all do matter as part of clean code maintanablity of the code…
A. Sonar focuses on the source code of your application, rather than other external factors.
Q. In regards to Quality Gates - does New Code by previous version only consider the code added or modified by the developers pull request or does it scan the entire repository with the new changes?
A. Until recently, a full scan of a repository for each new analysis. We are gradually supporting incremental analysis first in the context of pull request analysis, and then later branch analysis (including the main branch). This is more complicated than it might sound – As changes in one file can influence issues raised in another.
Q. Is Sonar the best static analyzer for C programming?
A. We have a strong offering for C/C++ – Matched with our Clean Code Methodology.
Q. How does Sonar keep up to date with the latest vulnerabilities? For example, if a new vulnerability comes out tomorrow, will my codebase get scanned for that new vulnerability?
A. Sonar focuses on scanning your source code – And its analysis engine knows about various kinds of vulnerabilities (XSS, SQL injection, etc…). When referring to “latest vulnerabilities”, folks are often referring to vulnerabilities in dependencies (a library containing a new CVE). This falls under the scope of SCA (Software Composition Analysis) and is not what Sonar detects – Sonar focuses on the source code your developers are writing.
Q. We have a microservices architecture and for the quality process we have to generate quality reports, could we have them through SonarQube?
A. Sonar just needs a local copy of the source code in order to perform analysis – and even offers support for Monorepos if you have multiple projects living in the same repository.
Q. Is Sonar going to have out of box, MR code comments for sonar issues different source controls (gitlab, github etc)?
A. Pull/Merge Request Decoration is available both on SonarCloud (free for open-source projects) and SonarQube (starting in Developer Edition). Sonar supports cloud and self-hosted flavors of Bitbucket, GitHub, Azure DevOps, and GitLab.
Q. Is there any application of Sonar in low code platform as well, like Salesforce and Copado?
A. Today, Sonar doesn’t specifically support any low-code platforms. You can find the list of languages that Sonar supports here, which includes Apex : https://www.sonarsource.com/knowledge/languages/.
Q. Doesn’t GitHub have these kind of code checks (security, vulnerability etc?)
A. GitHub only has security checks (and nothing else that Clean Code covers), and this is available only with their higher end "Advanced Security“ tier.
Q. How are the rules defined?
A. Through discovery: Our product teams (engineers and product managers) are looking at all the pain points that developers are facing while coding, and this is how they discover where we can bring value. This is how, for instance, a huge effort was made on Regular Expression rules: It was obvious that almost every developer faced, at least once in their lives, problems while writing proper regular expressions. As you can imagine, this is just one example out of many topics that make sense for developers, and we organize and prioritize based on where our impact will be the most important.
Did you have a technical question during our Q&A? Is there something else you’d like to know about Sonar? You’re already in the right place - Sign up and post a new topic!