Hi all,
If you couldn’t make it to our live webinar, you can still watch it on-demand!
Below you’ll find answers to the questions we received during the presentation.
Q: When do deprecated rules get removed?
A: There is no hard commitment from Sonar here; you may expect a deprecated rule to be removed in the next major version of SonarQube.
Q: Is it configurable what code is considered ‘new’?
A: Indeed, every team will be able to configure this for his own project through the SonarQube UI and analysis parameters: https://docs.sonarqube.org/latest/project-administration/new-code-period/
Q: How to Configure Sonar for Salesforce?
A: SonarQube already supports APEX with no additional configuration required.
Q: Does the SonarQube Pull Request Analysis feature work with GitHub’s Draft Pull Requests?
A: Yes, SonarQube supports automated Pull Request decoration via GitHub Actions.
Q: Can the notifications be configured by the administrator for all users?
A: Notifications are self-subscribed with both SonarCloud and SonarQube.
Q: Can sonarqube add info on pull requests on azure devops?
A: Yes, Azure Devops (Server and Services) are both supported for PR decoration: Azure DevOps Integration | SonarQube Docs
Q: Is there much difference between SonarCloud and SonarQube?
A: SonarCloud is our entry level SaaS based option that is hosted by us and is automatically updated to include new features as they are released. SonarCloud is in feature parity with our Developer Edition and does not contain any of the Enterprise reporting features nor does it support features that might affect other users in a shared environment, e.g., LDAP/SSO integration, use of Marketplace plugins, etc.
Q: How many branches (for each repo) can it scan?
A: SonarQube has no limit on the number of branches and/or pull requests you can scan for a given repo.
Q: How we can add rules for variable declaration for .net?
A: .Net languages (C# and Vb) will allow you to integrate third party tools results: https://docs.sonarqube.org/latest/extend/adding-coding-rules/
Q: Is there a good way to highlight dependencies that need updated as part of the scan?
A: Sonar does not provide SCA (Software Composition Analysis).
Q: Might I configure QA gate / profiles for projects, different implementation language?
A: Different Quality Gates can be configured for different projects. As a quality gate measures the releasability of a project, it should not vary based on languages.
Q: Can SonarQube scan for security vulnerabilities in Open Source Dependencies?
A: Sonar does not provide SCA (Software Composition Analysis).
Q: Which version(s) of SonarQube have the “Portfolios” section?
A: Portfolios are available starting in Enterprise Edition.
Q: Are reports customizable?
A: The reports provided by SonarQube cannot be tweaked. We’ll welcome any feedback about how we can improve them on our roadmap portal at https://portal.productboard.com/sonarsource/3-sonarqube
And you may build your own reports using the SonarQube WEB API.
Q: Can SonarQube send Quality Gate results to email?
A: Yes, any SonarQube user can subscribe to Quality Gate status changes notifications.
Q: Does the SonarQube Pull Request Analysis feature work with Developer License as well?
A: Yes, Pull Request analysis (and decoration on supported DevOps platforms) is available on all commercial editions.
Q: Should projects have different QG and QP based on relevance of a project?
A: The project objectives in terms of releasability are for you to decide of course, what we recommend is the Clean As You Code approach for all projects, with Quality Gate conditions on the New Code, or mostly on the New Code. And SonarQube UI will allow you to define baseline Quality Profiles (representing the minimum set of rules every projects on the same language will activate), while inheritance and child profiles will allow teams to adopt more rules when they are up to it.
As highlighted during the webinar, the built-in Quality Profiles and Quality Gates are good starting points for every team.
Q: Is it possible to add your own rules?
A: You have different ways to implement your own rules depending on the language you analyze: https://docs.sonarqube.org/latest/extend/adding-coding-rules/
Q: Do you have a recommendation for code coverage (for only code that you are changing) when using VS.net? In order words, we need a way to clean as you code from a unit test coverage, perspective.
A: Coverage data in SonarQube is also computed in the two code periods (New and Overall). SonarQube built-in Quality Gate also promotes coverage in the New Code (not the Overall code)
Q: We’re just starting with SonarQube. Do you have documentation for best-practices when starting projects with SonarQube?
A: Many SonarQube documentation provide good inputs regarding code analysis. Two very important ones might be: https://docs.sonarqube.org/latest/user-guide/clean-as-you-code/ and Narrowing the Focus | SonarQube Docs
Q: How does open source code incorporated into a project get analyzed by SonarQube?
A: Sonar does not provide SCA (Software Composition Analysis). If some external code is hosted with the project’s source folders, it may also get analyzed (while it should probably not be): https://docs.sonarqube.org/latest/project-administration/narrowing-the-focus/
Q: How can we embed SonarQube to Gitlab with all features?
A: GitLab is one of the DevOps platforms which is fully supported by SonarQube (authentication, MR decoration, GitLab pipeline integrations…) GitLab Integration | SonarQube Docs
Q: Is there a different quality profiles and quality gates per technology stacks e.g. Java, C#, Javascript, python etc.?
A: That’s the case for Quality Profiles, as they are activating rules (which are attached to individual languages). It’s not the case for Quality Gates.
Q: On the above lines, is there a way to extract detailed vulnerability issue reports by a project?
A: Security Reports are provided by SonarQube starting in Enterprise Edition. All project data on SonarCloud and SonarQube can be extracted through the WEB API, in JSON format.
Q: Do we have a rule to scan <sonar.exclusions> in pom.xml ? This is needed to flag exclusions by developers.
A: It can be done through the definition of an XPATH custom rule on XML analysis: Adding Coding Rules | SonarQube Docs
Q: How is the ‘Debt’ metric calculated?
A: Metric Definitions | SonarQube Docs
Metric Definitions | SonarCloud Docs
Q: What is the roadmap for SonarCloud as an alternative to on-prem SonarQube?
A: Sonar solutions roadmaps are available as ProductBoard portals:
Q: Can SonarQube report security problems?
A: SonarQube commercial editions (and SonarCloud) run Static Application Security Testing (SAST) analysis on your code. You may take a look at the vulnerability and security hotspots rules we provide at https://rules.sonarsource.com/
Q: Are there plans to include the ‘Enterprise’ report in SonarCloud in the future?
A: Adding reporting capabilities to SonarCloud is considered, your feedback and contributions are welcome: https://portal.productboard.com/sonarsource/1-sonarcloud/c/369-reporting-capabilities
Q: Do most settings of SonarQube translate 1-to-1 to SonarCloud?
A: Although the Sonar language analyzers are common, the features and UI are different. Don’t hesitate to contact us to discuss what solution would best fit your organization needs: contact@sonarsource.com
Q: Do you have any best practices regarding user rights assignment?
A: Apart for the common least permission principle, permissions, groups and permissions granularity, is really for each organization to decide.
Q: For Salesforce, SonarQube supports APEX. as I understand it is through GitHub. Is there a link you can share that helps understand how SonarQube can be configured directly prior to Salesforce deployment for APEX ?
A: There is no relation between APEX code analysis and the code management solution. Of course, it’s much easier to implement analysis automation if the code is hosted on a git repository.
Q: What is the recommended permissions structure for companies with many many teams and repos?
A: There is no “recommended” permission structure that will fit every organization. Having a good project key naming convention will certainly help map permissions to groups. How many groups you will need, and what permissions they should receive, is really up to you.
Q: Can I save/export Portfolio configurations?
A: There is no portfolio export feature (as you have for projects). This said, you can script something using the SonarQube API. One example of such a script is available with sonar-config.
Q: WRT sonarlint, Is there a community effort establishing language specific rules?
A: SonarLint rules are a subset of sonar rules: https://rules.sonarsource.com/
Q: Do you offer SonarCloud in EU? We often have gov projects that explicitly forbid shipping code to the US.
A: SonarCloud is exclusively hosted in the EU: Security Statement | SonarCloud Docs
Q: Is there security remediations will be placed in the next releases of Sonarcloud the way it’s scanning the code?
A: Code is pulled from github in binary and placed in the SaaS version which was shot down by our security department and hence we need to go for enterprise on-Prem edition this time which is more secure. Having a snapshot of the analyzed code is a hard requirement for Sonar solutions (SonarCloud and SonarQube).
Q: Can we add more than one repository with developer license?
A: Sonar license model is related to the amount of code analyzed, not the number of projects:
https://docs.sonarqube.org/latest/instance-administration/license-manager/
Q: Is there a possibility of running SonarQube Developer edition in containers?
A: Yes, indeed. Docker containers is one of the fully supported deployment option
Q: What is Incremental Java PR analysis?
A: With the last SonarQube version, Java PR analysis benefits from incremental analysis which drastically speeds up PR analysis. You will find many technical details about this with SONARJAVA-4183
Q: Are Quality Gates available on the free open source version ?
A: Yes, Quality Gates are available in every SonarQube edition, and with SonarCloud
Q: Are you going to implement any dependency security vulnerability checks in the default scan build?
A: Software Composition Analysis (SCA) is not in our short term roadmap. Feel free to promote the idea: https://portal.productboard.com/sonarsource/3-sonarqube
Q: Can you talk about the differences and similarities between SonarLint and SonarQube - Stand alone and when connected?
A: That would be described with https://www.sonarsource.com/products/sonarlint/features/connected-mode/
Q: Is there a way to disable “wont fix” and “false positive” resolution options from “issues” tab?
A: These options are only seen by users granted the Administer Issue permissions at project level. Remove the permission to disable the “won’t fix” and “false positive” option.
Q: Can quality gates and profiles be managed in source control?
A: That should not be needed, but you may do it using the SonarQube API.
Q: Apart from starting with new code, are there any tips on driving SonarQube teams adoption across the enterprise?
A: Enforcing passed Quality Gates on every release is a very effective way to promote adoption in every team.
Q: With ADO Integration setup, and using the MonoRepo setting in the project settings, what benefit does that give us that we normally don’t have?
A: All SonarQube benefits are considered “normal” here at Sonar
Q: Can you keep SonarLint sync with your own quality profile rules? Or only apply default built-in rules?
A: SonarLint connected mode is also syncing quality Profiles.
Q: Are these features for Enterprise edition? or Dev as well?
A: From all the features shown during the Webinar, only portfolios (executive reports) are exclusive to the Enterprise Edition.
Q: How to integrate SonarQube with jenkins and can we see a pipeline example?
A: Yes, sure. Several examples are provided with https://docs.sonarqube.org/latest/analysis/jenkins/
Q: Can I see how much time scan took place for each project on UI?
A: The scanner execution time is shown on your CI tool, not SonarQube. Feel free to promote the idea though: https://portal.productboard.com/sonarsource/3-sonarqube
Q: Do you recommend all developers to have SonarLint on visual studio?
A: Yes, we do. And we hope every developer aware of the possibility will adopt it.
Q: When you start working with a large number of teams with SonarQube and the product have false positives?
A: Every time you spot such problem, can you please report it so that it can be fixed: How to Report a False-positive / False-negative - Sonar Community
Register for our next webinar on C++ and visit Webinars | Sonar SonarSource | Sonar.