[Webinar] Everything you need to know about SonarQube

Hello everyone,

We are happy to announce we will be hosting a webinar on SonarQube on June 12th.

Join @ganncamp so you can learn Everything you need to know about SonarQube!
Whether you’re unsure where - or even if - to start your SonarQube journey or if you are searching for best practices, in this webinar you’ll walk through some common pitfalls in getting started with SonarQube the server, and with SonarQube analysis.

Don’t miss it!

Title: Everything you need to know about SonarQube
Date and Time: 2024-06-12T15:00:00Z
Speaker: G. Ann Campbell, Community Manager

Register now!

Interested in the topic, but can’t make it to our live session? Register here, and receive a recording of the webinar after the event!

Hello everyone,

Thank you to all who attended our session on Wednesday. Below are the questions that were asked during the webinar.

Q: I am taking over a SonarQube setup in AWS at my company. We are considering moving to SonarCloud to reduce maintenance/cost. Are there any things we need to consider that may be missing in SonarCloud compared to SonarQube?

A: At the moment, in terms of features, SonarCloud roughly equates to SonarQube Developer Edition (SQ DE). We are currently working to add Enterprise Edition-equivalent features to SonarCloud. More information on current functionality here: Plans & Pricing

Q: In which directory web.log is found?

A: Where SonarQube is located, under <SONARQUBE_INSTALLATION_DIRECTORY>/logs/. Logs can also be downloaded from the Web UI, under Administration > System > Download Logs

Q: Does Enterprise SonarQube support Aurora PostgreSQL for data set up?

A: Although it is not explicitly listed here (Database requirements & SonarQube), yes it is supported because it’s a version of Postgres.

Q: What is the difference between SonarQube and SonarCloud? Do both provide the same features? Also, how are License Lines of Code calculated?

A: SonarQube and SonarCloud have some different features depending on the edition. Details about how we calculate LOC can be found here: https://docs.sonarsource.com/sonarqube/LATEST/instance-administration/lines-of-code/

Q: But for Maven and Gradle projects, SonarQube builds the project with no need for a separate Build step. Is that correct?

A: You must run the build before analysis. SonarQube will not do that for you.

Q: Does SonarQube support tracking the use of open-source dependency libraries and licenses?

A: No, SonarQube does not have Software Composition Analysis (SCA) today.

Q: My application was built using Java JDK8 but the Sonar server version is above the required JDK11. How to overcome this challenge? I want to build JDK8 and Sonar analysis done by sonar version above 10.

A: Either you can run the steps of your pipeline with different versions of Java, or you can run the entire thing with Java 11 (Java 17 for the latest versions) and compile to a 1.8 target.

Q: When we try to run analysis, we are getting an incompatible class version error for 52.0 versus needing class version 55.1

A: Likely because the Java requirement is not met. Our scanners and Sonarqube instances require Java 17 / OpenJDK 17. Upgrade the Java version on your build agent.

Q: What are some things to look for when Coverage is 0%?

A: Coverage is not computed by Sonar itself. It has to be generated by a language-specific tool and then imported as part of analysis. See here for an example: windows-msbuild-vscoverage-azure-sc/azure-pipelines.yml at a5e7c671884850d4371f00773494ee57e70c26e4 · sonarsource-cfamily-examples/windows-msbuild-vscoverage-azure-sc · GitHub

Q: I don’t believe the Sonar REST API exposes coverage exclusion parameters - am I missing something? Or can this be made available?

A: For code coverage exclusions, please have a look here: Narrowing the focus with an analysis scope

Q: What is the Maven option to use to apply a different Quality Gate than the default to an analysis?

A: The Quality Gate cannot be overridden at the analysis level, but is configured at the project level. Please review the documentation here: quality gates

Q: Can I use a single sonar.projectkey for all my pipelines? (thus automating the creation of new pipelines/api)

A: No. The sonar.projectKey value must be unique per project.

Q: I am using ADO for my JavaScript/TypeScript-related scanning and am looking for something to take care of VisualBasic.Net code. Can I send a build-up into a specific folder so that my pipeline doesn’t have to ‘build’ the application on the fly?

A: You can certainly target a subset of a project for analysis, but you’ll need to build your .NET code as part of the analysis.

Q: I am integrating SonarCloud with my Android project and do have organisation-based access. From the documents what I understand is only one of the modes (CI/Automatic) could be enabled at a time. In case the automatic analysis is enabled is there anything else to be set up? Do we need to include the task in the workflow?

A: It is correct that only one of the two modes can be enabled at a time. If automatic analysis is setup, nothing else is needed. No task has to be included in the workflow. And it’s worth noting that antumatic analysis does not, by its nature, include your test coverage data.

Q: How do you get the Quality Gate results in your pipeline when using sonar.qualitygate.wait=true?

A: For Gitlab, that’s part of the integration, and usage is detailed in the docs: https://docs.sonarsource.com/sonarqube/latest/devops-platform-integration/gitlab-integration/#configuring-your-gitlabciyml-file[.](https://docs.sonarsource.com/sonarqube/latest/devops-platform-integration/gitlab-integration/#configuring-your-gitlabciyml-file.)

Q: We want to analyze and create reports of the issues in the old/overall source code in our project. Do we need a license?

A: SonarQube always analyzes the entire code base of a branch. Reporting starts in Enterprise Edition, which does require a license. Otherwise, you’ll need to build your own reports using the Web APIs.

Q: What is the difference between the SQ project and the SQ application? And when it is good to use Application instead of project

A: An application in SonarQube is a collection of projects that you define. Applications are a way to aggregate project results together. Here are some more details: Applications

Q: Does SonarQube work with Mainframe languages?

A:Where OpenJDK or Java 17 can run, SonarQube can run. SonarQube Enterprise Edition and DataCenter Edition support COBOL language.

Q: Where can I find the details of SonarQube licensing?

A: Our pricing page has details of each SonarQube edition: Plans & Pricing

Q: Do I define the Quality Gate in the pipeline or in the properties file?

A: Quality Gates are defined in the SonarQube web interface. If you don’t want to use our supplied Sonar way Quality Gate, you can configure a custom Quality Gate in the SonarQube UI.

Q: What is the difference between SonarQube 9.9 LTS and 10.5 version? I see the dashboard was changed and the Severity level.

A: Quite a lot of new capability is in the latest version since the 9.9 LTA. You can see everything on the roadmap here: Roadmap | SonarQube

All the features that got released after 9.9 are available here: https://portal.productboard.com/sonarsource/3-sonarqube/tabs/14-released-in-10-x

Q: is Sonar’s Deeper SAST available for SonarCloud?

A: Yes. SonarCloud and the latest version of SonarQube offer the same languages, analyzers and rules.

Q: Can SonarQube analyze front end technologies (Angular, Flutter, etc), in addition to the back-end .NET that I’ve used it on so far?

A: SonarQube does not support Flutter/Dart today, but it is on the roadmap. It does support JavaScript, Angular and other front-end app dev frameworks, including Blazor for .NET!

Q: Does SonarQube also count the LOC in dependencies?

A: SonarQube doesn’t currently do any analysis of dependencies. That includes License Lines of Code. So use as many big libraries as you want; it won’t use up your license.

Q: Does SonarCloud offer security reports?

A: It does not have them. It has the SAST capability, not the Security reporting capability

Q: What is PR decoration, especially in Azure DevOps?

A: To understand what you would get with PR decoration on AzureDevOps, I suggest you have a look at our documentation. An illustration of a publicly available integrated with AzureDevOps can be found here