Hi all!
Thanks to everyone who attended our webinars yesterday! You can find below the questions that were asked during the sessions:
Q: Does it require several licenses to analyze projects hosted in different on-premises servers ?
A: No, in order to onboard more than one on-prem server of the same kind, Enterprise Edition will be the solution.
Q: Does Community Edition support C and C++?
A: No, the support for C and C++ starts at the Developer Edition
Q: I lost some words, is COBOL supported in the Enterprise Edition?
A: You got it right! Yes, COBOL is supported in the Enterprise Edition
Q: Does it require GitLab Enterprise to make the “Quality Gate fails the pipeline” work correctly and track the jobs state?
A: Not necessarily. This parameter is coming from SQ and applied on Gitlab as a YAML instruction.
See here : https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/analysis-parameters/#quality-gate
Q: Are you going to introduce AI capability to detect code bugs or to suggest possible code fixes ?
A: Some of the intelligence is already there with Quickfixes : https://www.sonarsource.com/blog/sonarlint-quick-fixes/. But this is something we are considering, so stay tuned!
Q: Is Vulnerability Detection integrated with SonarLint as well?
A: Shallow vulnerabilities yes. SonarLint won’t be able to go as deep as SonarQube, but the connection mode between SonarQube and SonarLint, will help get the full vulnerabilities detection back in your IDE.
Q: Can the Developer Editon compute multiple scans in parallel or is it only the Enterprise edition?
A: It’s only available in the Enterprise Edition
Q: How many lines of code can we scan with the community edition? Does CE support NodeJS?
A: No limits of lines of code, and yes it can scan NodeJS but only for quality
Q: We have multiple teams working on one project (different domains) and would like to have reports for each team/domain. Is there anything planned? Or only API / custom? We want teams to own the code, not just a single developer.
A: Our focus is really the code it elf. If you want reports on Team/People, our WebAPI is open. You can probably create custom reports querying the API. SonarQube
Q: I am currently using the Community Edition.If I install the free demo of the Enterprise Edition and find it not suitable for my needs, will it be trivial to uninstall it and go back to Community Edition?
A: Once you use it, it is forever.
Just joking, sure you can. However, we recommend getting a side instance of Enterprise Edition, and duplicating pipeline runs to make sure that it is not impacting your Community Edition if you are heavily relying on.
Q: Would it be possible to see an example of a PDF report that SQ produces for a project?
A: Yes, you can find one here.
Q: Is it possible to create a portfolio using SounarCloud ?
A: Not for now, but soon!
Q: Why don’t we have the same level of support for Reports in SonarCloud compared to Enterprise?
A: Great question. SonarCloud will soon see new enterprise features. Reporting will be part of this. Please contact your account manager for more details.
Q: Can talk about “Applications” quickly?
A: An application aggregates multiple projects into a synthetic single project. Assume that you have a set of projects which have been split for technical reasons, but which share a life cycle; they interact directly in production and are always released together. With an application, they can be treated as a single entity in SonarQube with a unified project homepage, issues list, measures space, and most importantly, pass through the same quality gate.
Q: Is there any data about TPR and FDR for Javascript/Typescript language and where to find them if any ?
A: Rate is not something that we have, however, we are known to be one of the lowest FPR. Fine-tuning the rules applying to the analysis can help you narrow it to the minimum FP rate possible
Q: Does the bug/vulnerabilities detection change or improve in Enterprise Edition compared to Developer Edition?
A: On the Enterprise Edition, you would be able to customize your detection engine.
Q: Is there an option to have a quality gate or profile apply on “all code”?
A: Sure, You can add conditions on new code and overall code. However, you need to be careful with overwhelming your devs with issues. Find more info here: https://next.sonarqube.com/sonarqube/quality_gates/show/SonarSource%20way%20-%20Without%20duplication
Q: Will you improve the intelligence behind the secret detection? It feels like it is a bit basic and only detects secrets when the variables are named “secret” or “password”.
A: We are always happy to get feedback from our users. We added many more rules on secret and there is the ability to create your own rule regarding that topic. See here : https://rules.sonarsource.com/secrets/
Q: Can SonarQube scan the third-party package vulnerabilities?
A: No but SQ can be extended with plugins that do the job. DeeperSAST can help you go further in your analysis. See here : https://www.sonarsource.com/blog/deeper-sast-uncovers-hidden-security-vulnerabilities/
Q: Do you have any intention to implement some kind of reachability analysis? Today our developers on SonarQube Developer Edition face false positives and that makes them not look at the SAST analysis at all.
A: It could be because the profile doesn’t suit correctly your needs. We give default profiles for all languages but depending on your industry, some rules might not make sense. If you are seeing a pattern getting raised too many times, please get closer to your support contact/community hero (Colin is one of them).
Q: Can we scan for 3rd-party DLL versions with SonarQube?
A: With SonarQube this is out of scope. Ideally having the code uncompiled integrated to the SonarQube workflow, could be the best option possible for your case. But if you have (or maybe a plugin) scan and output for those DLLs, you can import those issues into SonarQube.
Q: Can tags for projects be set programmatically or only via the UI (to be used in reporting)
A: Yes, here: SonarQube
Q: Do you have the concept of groups/teams in SonarQube to manage and assign engineers to certain projects with a defined set of roles/privileges?
A: Yes it exists. In the administration tab, into groups and permission, you will find everything you need
Q: When we talk about Performance, do we mean the processing time of the analyses and the number of workers?
A: Yes this is one of the axes of improving the performances of SonarQube. You can add on top of the security engine customization, Rules customizations …
Q: Does Sonar support AWS CodeCatalyst for PR analysis ?
A: Yes but not out of the box. You will need to script, and the output of SonarQube into your PR.
Q: SQL injection is also checked in the Community Edition, what is the difference in Enterprise?
A: SQL Injections is one of the kinds of rules that you have on the Enterprise Edition. Community Edition doesn’t cover it.
Q: Can we add custom rules for C#, the same way we can add custom rules for Java?
A: Please see here: Adding coding rules
Q: Are security reports the default of the version?
A: Security Reports are tied to Enterprise Edition
Q: CodeQL is a new product in the market for code analysis. Is there any more advantage of using SonarQube in comparison to CodeQL at an enterprise level?
A: At the SAST level, the best option is to try and compare our solution. However, we are unique in terms of methodology. The governance aspect given in the SonarQube Enterprise Edition is one of our key arguments.
Q: What are the main differences between Developer and Enterprise options?
A: Please see here: Download | SonarQube
Q: Is there comparison/documentation about the features of SonarQube vs. Gitlab in terms of static analysis or SAST ?
A: We do have some metrics that we can discuss, but please reach out for a call or demo from our Solutions Engineers!
Q: Do you have a method to analyze the size of existing code? This will help understand the licenses needed
A: See here: GitHub - SonarSource/sonar-loc-count
Q: Are any certifications available from SonarQube for the product?
A: We are helping you gather evidence toward certifications, but not certifying your codebase
Q: Thinking about CI/CD and integration, is it possible to add a direct project to a portfolio or is the process manual?
A: Portfolio is something you can automate by playing with the selection mode. See more here: Portfolios. Porfolio will occur post-CI, not at the CI level.
Q: Just like Microsoft has certification exams for Azure, are there any certifications for SonarQube?
A: Sonarqube Quality Gate passed tag: SonarQube
Q: Can the number of workers also be increased in the Developer Edition or this is only from Enterprise “onwards”?
A: This is only from Enterprise Edition onwards
Q: What are your recommendations to get code improvements toward CPU consumption optimization and C02 emission reduction ?
A: Some of the rules we are working on are part of the GreenIT / EcoCode effort. Plugins exist too on that topic.
