Hi all,
Well that’s a wrap! Thank you to all who attended our webinar this week. For those who couldn’t attend, you can access to recording here.
Below are some helpful links and responses to the Q&A. Please reply on this thread with any additional questions!
Resources shared (order of appearance)
-
Website “r/badcode”
-
“The Wizard Book”
- “Structure and Interpretation of Computer Programs”, by Abelson & Sussman, MIT Press
- JavaScript Edition (2022): ISBN-13 978-0262543231
- Original Edition (1982): ISBN-13 978-0262010771
-
“Git of Theseus” tool (charts)
-
Picture of a magician on stage
-
Movie “The Prestige” (2006), by director Christopher Nolan
-
Staring Christian Bale, Hugh Jackman, Scarlett Johansson
-
Book
- “Refactoring”, by Martin Fowler, Addison-Wesley Signature Series
- JavaScript Edition (2018): ISBN-13 978-0134757599
- Original Edition (1999): ISBN-13 : 978-0201485677
-
Talk
-
Details about Sonar rules
-
Blog post about bugs with React Hooks
Q&A Session
Q - What kinda JS library are you going to be talking about?
A - We talk about Clean Code for JavaScript and TypeScript. This applies to React, Vue.js, Angular, Express, Next.js, even jQuery and any other library or framework.
Q - Like the Grammarly tool which corrects the grammar, does the “Sonar” tool correct our code with design principles?
A - Great question. With SonarLint, which scans your code locally in the IDE, yes, it’s just like Grammarly with respect to detecting bugs, code smells, and vulnerabilities.
Q - What other languages are supported?
A - With SonarQube, a lot: Java, PHP, Python, Kotlin, C/C++/Objective-C, JS/TS, Terraform, Cloudformation, Apex, COBOL Go, PL/I, RPG, Ruby, HTML, CSS, Swift, VB6, XML T-SQL, PL/SQL, and more. Check our list here: https://www.sonarqube.org/features/multi-languages/
Q - My team also uses the SonarLint extension for VS Code. Does it have the latest rules?
A - Yes, it does. When our JavaScript analysis has new rules or improvements, those rules are shipped in the next release of SonarLint. We are constantly improving the analysis.
Q - Would using ESLint and other different formatting tools qualify as writing a clean code.
A - It certainly helps. Clean Code needs to be easy to change and behave as required. Finding reliability defects and keeping the code readable are part of that. You need a high standard of quality that includes multiple properties of the source code and the program it produces, for example Security, Reliability, Maintainability, among others. At Sonar, we use ESLint and build upon it. We also go beyond what it can do, adding Taint Analysis and Injection Vulnerability detection, for example.
Q - Any plans to support the LUA language?
A - Lua is not a language that we plan to focus on at the moment. However, if we get many requests for it from the community, we might consider supporting it. Furthermore, you can find a community plugin that supports Lua.
Q - Does SonarQube do semantic analysis on JavaScript documents or only pattern analysis like Semgrep? If so, is it context-insensitive or not?
A - Yes. Depending on the rule, this might involve using an Abstract Syntax Tree, Control Flow Graph, Data Flow analysis, Symbolic Execution, Taint Analysis, etc. We care about precision and finding bugs and vulnerabilities that other tools can’t find, low False Positives, and an analysis you can trust.
Q - Is there a mechanism for pre commit hook check for new code on Java projects as well?
A - Yes, you can call the Sonar scanner command however you like since it’s an executable you can call from anywhere on your system. Using SonarLint in your IDE will be even faster, since it will raise the issues before you commit.
Q - Can Sonar detect errors with React’s use Effect Hook?
A - Yes. See for example our list of recent rules that were published: Introducing 7 new rules for React which detect bugs in JS/TS code. Also, please look out for our blog series on this topic: https://blog.sonarsource.com/lesser-spotted-react-mistakes-hooked-on-a-feeling/.
We care about React and we’ll continue to add more and better findings for Hooks and other React features. You can give us feedback in the Community: https://community.sonarsource.com/
Q - Does SonarQube cover functional programming languages such as Scala and Clojure?
A - SonarQube covers Scala but not Clojure.
Q - I use a local database with Sonar canner & SonarQube, but the quality gate is often red even when no new issues are logged. How does this work? Do I have to use the github hook as explained?
A - There could be several explanations: quality gate may be reflecting only overall code, a specific coverage value, analyzing wrong branch, etc. Please provide screenshots of your project showing the red quality gate and the quality gate’s conditions (from Quality Gates menu at the top in SonarQube) at our Sonar community forum and we can help you there: https://community.sonarsource.com/.
Q - How effective is Sonar for Salesforce & Copado?
A - Copado supports SonarQube via SonarApex scanning, but has its own limitations. Please refer to Copado’s documentation and website for further integration information.
Did you have a technical question during our Q&A? Is there something else you’d like to know about Sonar? You’re already in the right place - Sign up and post a new topic!