My primary concern is what degree of trust can be placed in plugins found in the Marketplace and in particular, sonarplugins.com.
If SonarSource has nothing to do with sonarplugins.com, perhaps your legal team should review the legitimacy of that site as it could be perceived as Sonarource sanctioned (or potentially be serving up malware). At the very least some clarity is required to say sonarplugins.com is not related to, maintained by or sanctioned by Sonarsource.
It had been a while since I visited that site. Checking it now, I understand your confusion. I don’t know why they decided to re-title the site “SonarQube™ Marketplace”. It is not, never has been, and never will be the SonarQube Marketplace. That resides in-app. Period.
We’ll be taking this up with them and thanks for raising the question.
To address your specific questions:
Actually I think I was fairly clear there:
We have nothing to do with that site
It’s two entirely different, and unconnected things.
Hopefully it’s clear at this point that those are two distinct things. Plugins in your in-app Marketplace were minimally vetted for behavior & user experience on initial entry into the Marketplace. After that, it only takes a passing Quality Gate on SonarCloud to add new versions.
Yes, by the time I finished composing them email the message (while researching) I realized I may be repeated myself and have most of the answers already, so this is partly for Community knowledge as I did not see this clearly spelled out.
I now get that SonarSource has nothing to do with sonarplugins.com (and not to trust the aggregated content.). if I were SonarSource Legal, I’d still talk to them to make that more clear for us users given the TradeMarrk naming confusion potential and association,
The reason this all came up is a user asked me (Admin), “Can you please install these (bitegarden) plugins from sonarplugins.com?” Turns out it’s not listed in the internal Marketplace and I never heard of sonarplugins.com, so I dunno and instinctively did not trust.
But here for example, there’s a 3rd Party Commercial plugin for SonarQube that’s not listed in the internal Marketplace. Not clear why that would not be available ? Is it because It’s a Commercial Product so does not meet the FLOSS guidelines, that’s it’s a competitor to SonarSource feature / product or that it did not meet some other evaluation criteria to enter your Marketplace?
Now that I can see Deploying to the Marketplace information, I have some better understanding of how plugins get to your Marketplace or not. As a user however, I think there should be an explanation in the documentation for us to better understand what’s available through the Marketplace and what’s not and assurances are provided regarding their installation and use (ie: it works, it does what it says, it declares or has no any external connections, data exchange, etc)…
Thanks for the followup. I’m glad to read that your Spidey-senses tingled when your user asked about sonarplugins.com
After responding to you yesterday, I used their contact form to make a polite request. Hopefully that will be enough. We’ll see where it goes from there.
Well, the very first (unstated) requirement is that they have to ask to be included. There’s work involved on our side for the initial vetting of new plugins, so we don’t got looking for ones to add. After that, I would guess they never bothered asking because it isn’t FLOSS. Regarding Bitegarden specifically, some of their plugins (in addition to presumably being closed-source) do compete. Beyond that, without knowing which 3rd-party commercial plugin you’re talking about, it’s hard for me to guess.
This is a very fair point. In fact, the documentation about adding a plugin to the Marketplace used to live in the docs and we moved it for practical reasons. I’ll see about adding something back in.