I’m new to SonarQube and very thankful for the great tool and helpful community.
I’m interested in learning more about the data flow capabilities of SonarQube, which from my understanding are referred to as Symbols in SQ. I couldn’t find any in depth tutorial on this topic so I’ll put a few usecase examples and it would be great to have a pointer to some material which cover that.
In a high level, I want to be able to write rules and infer the exact parameter values which were relevant to Method Invocation. i.e. given a function with a signature: public String someFunc(String caller, String key), and a method invocation someFunc(username, userkey), I want to track the exact values of username and userkey.
I saw in one of the core team’s answers that this is Symbolic execution and that SQ doesn’t expose this, but this answer is quite old so any updates on that would be great.
Partial coverage would also be useful, i.e.
Identify when the value was changed
Identify only constant value definition
Identify the relations w/o value, i.e. username is set using another Method Invocation
Thanks, and I would appreciate some guidance on that topic,
Anton
Welcome to the community, and thanks for the kind words!
We don’t have any in-depth tutorials, only the rule implementations themselves, which are open source for many languages. What language are we talking about?
It’s not clear to me that all the APIs for symbolic execution will be visible to you. The best thing to do is identify one or more rules that do something in the direction of what you want to accomplish and then check in the SonarQube Rules page to see if they’re part of the “SonarQube” repository (and thus open source) or one of the others.