Hi everyone,
Thanks to all who attended our webinar! You can now find the questions asked during the yesterday’s session:
Clean as You Code
Q: We use SonarQube in our team, I like Clean as You Code. Is there any other way to get other teams on board with implementing static code analysis?
A: Yes, both SonarCloud Enterprise and SonarQube Enterprise offer integrations with multiple DevOps platforms so if your different teams use different DevOps platforms, it’s possible to run in a single instance. Furthermore, both Enterprise offerings have visibility across your whole portfolio with portfolio-level reporting on the status of each project in the portfolio.
Q: While focusing only on new code, what about if serious problems, such as issues related to CVEs come up on old code?
A: We recommend one strategy, Clean as You Code. By focusing on a manageable chunk, new code, over time you will touch legacy code by nature of how software development works. In 3-5 years you’ll have replaced at least 50% of your legacy code with Cleand Code.
SonarLint
Q: Is SonarLint free for Enterprise customers?
A: It’s free for everyone!
Q: If I have SonarLint, do I still need SonarQube?
A: Yes, SonarLint analyzes the current code your working on, but does not have the ability to detect deeply hidden issues such as those revealed with taint analysis. SonarCloud and SonarQube traverse your whole codebase simulating how the applicion behaves to find deeply layered issues. Plus with both SonarLint and SonarCloud or SonarQube in connected mode, you will find more value with them working together. https://www.sonarsource.com/products/sonarlint/features/connected-mode/
Q: If I am running SonarLint in Visual Studio with SonarQube in our Pipeline, will that reduce the amount of Code Smells SonarQube finds in a PR?
A: If you fix the ones SonarLint finds before you commit, yes. 
Languages and rules
Q: Do you have rules for Salesforce programming language, Apex?
A: We do have Apex rules, as well as Salesforce-specific JS rules too. Here are the Apex rules: Apex static code analysis
Q: Do you have security rules for the C language in the Community Edition of SonarQube?
A: You’ll find our C rules listed here, but C analysis is only available in commercial editions: C static code analysis | Vulnerability
Q: What is the best way to get code coverage for Java?
A: The docs should help: Java test coverage
Q: Does SonarQube support scanning Common Lisp code? If not, can custom rules be defined for .cl files?
A: We don’t support Lisp. You would need to create a custom language plugin for that. If you want to pursue that, feel free to drop specific coding questions in the community: https://community.sonarsource.com
Q: How can I choose the best rules related to security? Are there any specific rule tags related to security that you recommend looking for?
A: A great start is to just trust what’s in the Sonar way profile for your language. Rules that aren’t on by default (i.e. omitted from Sonar way) are going to be situation-specific, so read their descriptions to see if they apply to your case.
General
Q: How do I protect sensitive code that’s analyzed with SonarQube or SonarCloud and SonarLint?
A: This sounds like a question about who can see source code after analysis. That’s a question of project permissions. Make sure Browse is restricted to only people who should see the code.
Q: Can I get a real-world demo or full tutorial of using an Azure DevOps pipeline with SonarCloud using Quality Gates?
A: It sounds like you’re looking for a sales demo. 
Drop us a line here: Plans & Pricing
Q: Is there another presentation where there is a demo of SonarQube for different use cases?
A: Check our YouTube channel for some of our other videos. https://www.youtube.com/@SonarSource
Q: How are lines of code calculated for license purposes?
A: Lines of code are based on what’s found in analysis. The docs should help: SonarQube Lines of Code
Q: Are there licenses appropriate for one-person companies or small startups?
A: Licenses are lines-of-code-based, not seat-based, so you’ll only pay for as much code as you’re analyzing, whether your company is large or small.
Q: Do we need an internet connection for our SonarQube Enterprise server to do SAST?
A: Your build agents need to be able to talk to your SonarQube server, and it, in turn, needs to be able to talk to your DB. All of that can happen without necessarily needing to talk to the Internet.
Q: In the presentation, you label AI generated code as dangerous, accelerating disorder, etc. I think you are wrong. I am using Sonarcloud and I see a decrease in alerts in generated code. And for the last 6 months AI code is generated with high quality. I know how i can pre-configure in my IDE code generation accordingly to clean code rules, with vulnerability flagging and so on. Sonar products are genial for non AI development. What Sonar offers for AI-assisted development: preset hints, some assistant customization instructions, etc.?
A: I didn’t use the word “dangerous”! I don’t see AI-generated code as any more dangerous than human-created code. After all, AI-generated code is based on LLMs trained on human-created code in the public domain. So AI generated code is just mimicking what humans do. Humans do make mistakes and have issues with their code, and so does AI-generated code. What I did say is that AI coding assistants are incredibly useful and help developers double the speed at which they write code. As a result, the number of issues in the CI/CD pipeline will increase with the use of AI coding assistants. This means it’s even more critical for developers to leverage a static analysis tool like SonarCloud and SonarQube as a tool to reduce the increasing issues in the CI/CD pipeline.
Q: Which products provide vulnerability scan functionalities?
A: SonarCloud and commercial editions of SonarQube provide taint analysis
Q: How accurate is SonarQube in securing code (old & new) ?
A: SonarCloud and SonarQube are industry leaders in accuracy with the best true positive rate (amount of correctly identified issues) and the lowest false positive rate (amount of incorrectly identified issues). We have benchmark testing publicly available as GitHub projects in which we show we are meeting or beating our high-level set standard for accuracy.
Q: Can we export security reports with the SonarQube Community Edition?
A: Security reports start in Enterprise edition, and taint analysis is only available in commercial editions (including Developer Edition)
Q: I know that Sonar tools support CWE since 2015. What about the recommendations from OWASP-Top10?
A: We do have rules that map to the OWASP Top 10. Check the tags on the rules page, and take a look at the security reports (in Enterprise Edition)
Q: Any plans to support the generation of SBOM from SonarQube Scans to establish the code dependencies, a bonus would be the integration with JFrog Xray and JFrog Advanced Security.
A: We will be able to offer a solution through a partner for your SBOM requirements. More to come soon.
Q: Recently, I’ve been trying to perform SCA on a project, but sonar solutions skip/ignore everything related to the .NET framework (.cs code files). Do you have resources to help in this situation? Community Q&A doesn’t have a straight solution to it…
A: We will be able to offer a solution through a partner for your SCA requirements. More to come soon.
Q: We presently use Jacoco, any information on that?
A: SonarCloud and SonarQube have an integration with Jacoco to provide info on code test coverage which is included in the quality gate as part of your pass faill criteria.
Q: Are there any resources or information about how to create our new set of rules(plugins)?
A: Info on how to build a customer rule: Adding coding rules
Info on how to develop a plugin: Plugin basics
