Hi all,
If you couldn’t make the scheduled time, you can watch the webinar on YouTube:
As usual, here are the questions that participants asked:
What Python versions and frameworks does SonarQube support?
SonarQube supports Python 2.7 through Python 3.8, and Django & DTL, plus Flask & Jinja2, as well as Django ORM, and Flask-SQLAlchemy.
How strong is the security coverage for Python, and what’s available for security in Community Edition?
We offer rules for each of the OWASP Top 10 categories. For Security Hotspots, which are available in Community Edition, we cover seven of the 10, including finding security-sensitive pieces of code related to A7 - XSS, A1 - Injection, and A9 - Components with Known Vulnerabilities. For Security Vulnerabilities, we find issues for nine of the OWASP Top 10, with all but one of those categories (A4 - XXE) available in Community Edition. In commercial editions we offer additional taint analysis rules which go even further in helping you make sure your code is secure. Learn more here.
What languages are under active development?
We’ve put a lot of effort into Python this year, as well as Java, C#, C, and C++. We’ll soon be turning back to JavaScript, TypeScript, and PHP. Meanwhile, it’s worth mentioning that other analyzers are regularly maintained as well.
What parts of my project will SonarQube analyze?
Across the four editions, SonarQube offers analysis of 27 languages, starting with the 15 most popular - including Python! - in Community Edition. Each analysis examines the source code (and sometimes the byte code) for each language provided by your edition. The issues and metrics from those source code files are presented together in SonarQube’s unified view.
How do I get analysis in my IDE?
SonarLint is a free and open source plugin that supports Python in VSCode, IntelliJ IDEA and PyCharm, and in Eclipse. It lets you find issues as you code, so you can fix them before committing.
Can I customize my analysis?
You get a sane default rule set out of the box and we view this as a recommended minimum rule set. Additionally, we offer more rules than are enabled in the default profile. If you’d like to tune your experience, you can create your own custom Quality Profile with a different rule set. If you need rules that aren’t available out of the box, you might want to import issue reports from 3rd-party tools such as flake8. If that’s still not enough, you have the ability to write custom rules.
How do I keep up with what new rules are added in a version?
The easiest thing to do is watch release announcements; they’ll mention the new rules added in each language. Most new Python rules are available in all editions, but when a rule is available in Developer Edition and above, it will be mentioned there. Additionally, there is in-app notification of new rules on the Quality Profiles page.
How do I get started with SonarQube?
You can run SonarQube anywhere you can run Java. You’ll need a JDK on the server where you’ll run your SonarQube instance, and a production database to connect it to. For the server itself, both Docker images and zip bundles are available, and installation and setup are easy.
My codebase is proprietary and confidential. Where does my code go when I analyze it with SonarQube ?
SonarQube is an on-premise product, which means that you keep full ownership of your code base. Your code must be available to the scanner on the analysis machine you provide. As part of analysis it will be sent to the SonarQube server and stored in the database you’ve configured SonarQube to use. You can use SonarQube’s permission system to control who can see the source code inside SonarQube.
Can I integrate SonarQube into my workflow?
Integrations are available for Jenkins, Azure Pipelines and GitLab CI; as well as the four major ALMs: GitHub, GitLab, Azure DevOps, and Bitbucket Server.
What’s the difference between Community Edition and the commercial editions?
- Community Edition is free and open source. It lays the foundation by providing a great user experience, workflow integration, all the metrics and 95% of the rules. It includes 15 languages including Python, JavaScript, TypeScript, Java, PHP and C#.
-
Developer Edition adds PR analysis and decoration, plus taint analysis rules such as the XSS detection rule and the one for SQL Injection. It adds seven more languages including C, C++, and PL/SQL.
-
Enterprise Edition adds Security Reports, Executive (PDF) Reports, and Portfolio Management. It adds five more languages including Apex and COBOL.
How are the commercial editions priced?
Commercial editions are priced by lines of code. Developer edition starts at $150 per year.
How can I try this all out?
To get started with Python analysis, you can download SonarQube Community Edition for free.
If you’re interested in Taint Analysis/Injection rules, and want to see these issues raised directly in your PRs in the four major ALMs (GitHub, GitLab, BitBucket Server, and Azure DevOps) you can request a 14-day trial license for Developer Edition.
Need all that plus Security Reports? Enterprise Edition is what you’re looking for. Request a 14-day trial license here.
Still have questions?
If you have general questions about product features, join us in the SonarSource community. We’ll be glad to see you!
For questions about commercial editions, including pricing or trial licenses, try one of these:
For other commercial questions, contact us here.
Ann
