Hello everyone,
Thank you to all who joined our session yesterday! Please find below the transcript of the webinar Q&A.
Q: How does Sonar manage Clean Code now, in the Generative AI era?
A: This is exactly the topic of the webinar. Sonar’s solutions consisting of SonarQube and SonarCloud integrated into the Continuous Integration (CI) pipeline alongside SonarLint in the IDE help catch and fix issues as the code is being generated by AI or written by a developer. We have a web page that talks about Clean Code in the Age of Generative AI. You can find out more here: AI Generated Code in Software Development & Coding Assistant
Q:Is there any upcoming plan to add a reporting feature in Sonarcloud?
A: Yes, we are working on adding more enterprise capabilities and features in SonarCloud and reporting is on the roadmap. It will be added in an upcoming version of SonarCloud. The target is this year.
Q: Do you think Clean Code will stop being so relevant in the programming pipeline since Sonar tools are close to making it almost automatically with the help of AI?
A: No, the relevance of Clean Code will remain significant. Clean Code includes more than just detecting technical issues; it involves writing code that is easy to understand, maintain, and extend by humans. We believe these approaches will remain complementary.
Q: Does SonarQube support scanning referenced libraries (e.g., open source nuGet packages) in C# projects for vulnerabilities, or does it only scan the project’s code only?
A: SonarQube discovers issues in the code you own, not so much in third-party public libraries. SonarQube commercial editions do come with deeper SAST that can help deeply hidden security issues that arise from the interaction of user code with open-sourced libraries. If you are interested in uncovering CVEs, or publicly disclosed vulnerabilities in third-party code, then I would suggest using this extension: GitHub - dependency-check/dependency-check-sonar-plugin: Integrates Dependency-Check reports into SonarQube
Q: If more AI-generated code is checked in and analyzed by LLMs, is it then considered better?
A: SonarQube is not leveraging LLMs. Checking the code is done using rules. As the set of projects that are used to train LLMs are being corrected (the dataset), then LLMs will output more correct code. Rules-based analysis and LLMs-driven analysis can be considered complementary. Additionally, writing clean code also includes writing code that is easy to understand, maintain, and extend by humans. This part is not something that LLMs can help much with currently.
Q: How do you define “churn” and what’s the problem with it?
A: “Churn” refers to the frequency at which code is modified, reverted, or changed over time. It measures the rate at which developers make alterations to code files. Higher churn is counterproductive in most cases and indicative of instability in the code base.
Q: Is there any plan for insight to Code Churn within SonarQube?
A: Today, you can learn about churn in your code base by looking at the historical code analysis results. We are looking to improve this. Code Churn is something that may impact architectural technical debt too. Today, Sonar products don’t handle architectural technical debt, but it’s something we’re investigating.
**Q: This is good, however, why can’t we “shift left” this further, instead of having 2 products ie Github copilot + Sonar, won’t it make more sense and savings to get these all part of the AI-generated code in the first place, ideally Sonar products should be available as features within CoPilot.
Also, there is still the question ifwe can trust the suggestions from Sonar if we use it independently (aka do you also have similar disclaimer in your documentation like Github?)
A: This is a use case we would like to explore, to better integrate SonarLint and tools like Copilot. When it comes to trusting the suggestions, our approach is that developers should make the decision right based on the contextual knowledge they possess. Tools do not have complete knowledge of the context and requirements and should only offer suggestions. Sonar helps you understand how a result is being produced with rule-based SAST for instance. It is harder to do so with results produced by LLMs.
Q: Can you explain the difference between SonarLint and SonarCloud?
A: SonarLint operates in your IDE to show you issues in your local code and how to repair them as you write code. SonarCloud operates in your CI pipeline to ensure the entire code base of your app meets a specified standard before your build automation is triggered.
Q: How many rules can be checked by SonarLint?
A: It depends on the language, you can find more information here: https://rules.sonarsource.com/. Also, rules related to the discovery of advanced security flaws are not available in SonarLint.
Q: Does Sonar support VBSCRIPT language?
A: The closest we support is VB6 and VB.NET
Q: How can SonarLint and SonarQube work together?
A: SonarLint is a free companion app for SonarQube and can be connected to SonarQube to pull in quality profiles from SonarQube. SonarLint in IDE catches issues in real time as you work on your local code files. When the code is checked into a branch, a full analysis or pull request analysis on SonarQube gives you an overall report of your code quality. Advanced bug detection and deeper security analysis can only happen on the server side. Together SonarLint and SonarQube help you produce code that is secure, reliable, and maintainable.
Q: Is it possible to run SonarQube as a container in our cloud?
A: Yes, it is possible, please have a look here for Kubernetes: Deploy SonarQube on Kubernetes /.
Otherwise, we also publish official Docker images: Docker
**Q: Does SonarLint support C++ language? Does it use its static analysis tool or other third-party tools ?
A: Yes it does, using its static analysis tool C++ static code analysis
Q: Is it possible to configure Sonar Lint with the same rules that the SQ runs during CI so that code commits themselves can take care of the issues before waiting for SQ to report issues?
A: SonarLint is not a replacement for SonarQube. Pre-commit analysis are not available. Please have a look at the connected mode to sync rules locally with the ones set at the SonarQube instance level: Connected Mode - IntelliJ
Q: Our org uses SonarCloud (integrated with CI pipeline). In the review panel, I have seen a few false positive cases. How do we handle those cases and if we need to report them, how do we do it ?
A: If you believe that it is a false positive, you may have the permission to change the status of such an issue. If you don’t, then someone in your team or who is reviewing the code should have this permission
Q: Is there a separate plugin for Sonarlint to work with CoPilot?
A: No, SonarLint works well with GH copilot already
Q: What is CaYC?
A: The CaYC mentioned in the presentation means Clean as You Code, the methodology fueling our solution: Clean as You Code & SonarQube
Q: Does SonarLint implement the same rules as SonarQube?
A: Hello, if a commercial edition SonarQube is being used, then only a subset. With connected mode, the set of rules are synced, but only a full sonar scanner can find advanced security flaws. These extra results are then imported back into the IDE with the connected mode: Connected Mode - IntelliJ
Q: How is SonarLint different from other static analysis tools? Is there a specific aspect of AI-generated code that it takes into account?
A: Our scanners which are used by SonarLint, SonarCloud, and SonarQube, analyze all code both human generated and AI generated. Since AI-generated code is based on human-created code, it can make the same mistakes as humans do. What makes us different than other tools is the breadth and depth of language coverage we have compared to other tools and the maturity, speed, and accuracy of our analyzers.
Q: Does SonarLint work by a generic rules set or does it get the context by reading the whole code?
A: It works with rules specific to the language that is being used in your local code.
Q: What is your experience with Github Copilot fixing the issues that are detected by SonarLint? Does it do a good job?
A: Yes, SonarLint provides real-time feedback by finding issues in both Copilot-generated code and developer-written code. We have seen that SonarLint code analysis immensely helps identify code quality issues, bugs, and vulnerabilities introduced by AI-generated code. Additionally, it also suggests improvements to adhere to best practices and coding standards. To get the maximum benefit, we recommend connecting SonarLint with SonarQube/SonarCloud and doing a deeper analysis of your entire code base rather than just local files in the IDE.
Q: From a Sonar perspective, it’s all just code right, whether it’s human-generated or AI-generated? I don’t think Sonar sees any distinction, right?
A: Indeed, it is all code and it won’t see the distinction between human-generated and AI-generated code.
Q: What about generating code based on your existing project/code (as a template)? This is something you would often need to do in an existing project. For instance, people functionality based on existing dogs one.
A: It would be a task for a Gen AI / LLM-code-related tool. SonarLint does not provide code generation capabilities at the moment. SonarLint helps you improve the code by finding issues and suggesting fixes.
Q: Is it possible to run SonarQube in Azure pipelines?
A: Hello, yes, it is possible Azure DevOps integration
Q: What about the software review process? Will it be reduced? if yes, do you have any data to indicate?
A: No, code reviews are becoming more important and should be part of your development process. With the amount of code being developed using AI code generators, it is imperative to have a review process in place using products such as SonarQube, SonarLint.
Q: What GenAI code gen options available for DevOps and IaC Automation? Like Docker, Ansible, Helm, Terraform, etc?
A: Code generation tools are probably trained with datasets containing IaC code. If that is the case, they should be able to generate IaC-related code. You will need to test the AI coding tools to see how well they support IaC. Sonar can support scanning of Terraform, Helm, etc.
Q: Does the code in my project remain private to me, or is it shared for training or other purposes?
A: Yes, it is your code. We do not use it for any ML/AI training purposes.**
Q: How to generate the code report from SonarQube ?
A: SonarQube Enterprise Edition has rich dashboards and reporting. You can get a high-level overview of the code quality and security of your projects, applications, or portfolios. PDF reports
Q: Does Sonar support multi-threaded code?
A: Hello, for some scanners like C++, it is multithreaded
Q: Is SonarLint free?
A: Hello, yes. https://www.sonarsource.com/products/sonarlint/ide-login/
Q: In the demo, I saw SonarLint suggesting code changes, does that work only if we have CoPilot?
A: SonarLint has a quick fixes feature on its own, which works without CoPilot. See here: https://docs.sonarsource.com/sonarlint/intellij/using-sonarlint/fixing-issues/#quick-fixes
Q: Can we generate the code quality report.?
A: Yes, SonarQube has rich dashboards and reporting. You can get a high-level overview of the code quality and security of your projects, applications, or portfolios. PDF reports
