What is / who owns sonarplugins.com?

Does SonarSource have any relationship to the site:sonarplugins.com?

There are a handful of Community posts which reference that site, but nothing that seems to suggest that’s an official site.
@ganncamp seems to suggest it’s not related:
But this conversation raises doubts to that.

> No clue. You would have to ask the maintainers of that site.

I know the Marketplace page ( /admin/marketplace ) says:

Plugins available in the Marketplace are not provided or supported by SonarSource. Please reach out directly to their maintainers for support.

And the documentation says:

Which URLs does the Marketplace connect to?

The SonarQube Marketplace connects to https://update.sonarsource.org/ to get the list of plugins. Most of the referenced plugins are downloaded from:

https://binaries.sonarsource.com/
https://github.com/

I don’t understand why there are plugins listed there that are not in the “Marketplace”. Is there a relationship with SonarSource? Is that site trusted?

How do plugins end up in https://update.sonarsource.org/ ? I don’t see a mention of that in the Documentation - Develop a Plugin or under Contributing.

My primary concern is what degree of trust can be placed in plugins found in the Marketplace and in particular, sonarplugins.com.

If SonarSource has nothing to do with sonarplugins.com, perhaps your legal team should review the legitimacy of that site as it could be perceived as Sonarource sanctioned (or potentially be serving up malware). At the very least some clarity is required to say sonarplugins.com is not related to, maintained by or sanctioned by Sonarsource.

Hi,

It had been a while since I visited that site. Checking it now, I understand your confusion. I don’t know why they decided to re-title the site “SonarQube™ Marketplace”. It is not, never has been, and never will be the SonarQube Marketplace. That resides in-app. Period.

We’ll be taking this up with them and thanks for raising the question.

To address your specific questions:

No.

Actually I think I was fairly clear there:

We have nothing to do with that site

It’s two entirely different, and unconnected things.

No

I wouldn’t trust it. :wink:

We actually moved that documentation into this community since it’s through the community that all communication related to these plugins happens.

Hopefully it’s clear at this point that those are two distinct things. Plugins in your in-app Marketplace were minimally vetted for behavior & user experience on initial entry into the Marketplace. After that, it only takes a passing Quality Gate on SonarCloud to add new versions.

For listings on sonarplugins.com, the site itself says

This is just a plugin compilation site.

 
Thx,
Ann

Hi Ann,

Yes, by the time I finished composing them email the message (while researching) I realized I may be repeated myself and have most of the answers already, so this is partly for Community knowledge as I did not see this clearly spelled out.

I now get that SonarSource has nothing to do with sonarplugins.com (and not to trust the aggregated content.). if I were SonarSource Legal, I’d still talk to them to make that more clear for us users given the TradeMarrk naming confusion potential and association,

The reason this all came up is a user asked me (Admin), “Can you please install these (bitegarden) plugins from sonarplugins.com?” Turns out it’s not listed in the internal Marketplace and I never heard of sonarplugins.com, so I dunno and instinctively did not trust.

But here for example, there’s a 3rd Party Commercial plugin for SonarQube that’s not listed in the internal Marketplace. Not clear why that would not be available ? Is it because It’s a Commercial Product so does not meet the FLOSS guidelines, that’s it’s a competitor to SonarSource feature / product or that it did not meet some other evaluation criteria to enter your Marketplace?

Now that I can see Deploying to the Marketplace information, I have some better understanding of how plugins get to your Marketplace or not. As a user however, I think there should be an explanation in the documentation for us to better understand what’s available through the Marketplace and what’s not and assurances are provided regarding their installation and use (ie: it works, it does what it says, it declares or has no any external connections, data exchange, etc)…

1 Like

Hi,

Thanks for the followup. I’m glad to read that your Spidey-senses tingled when your user asked about sonarplugins.com :+1:

After responding to you yesterday, I used their contact form to make a polite request. Hopefully that will be enough. We’ll see where it goes from there.

Well, the very first (unstated) requirement is that they have to ask to be included. There’s work involved on our side for the initial vetting of new plugins, so we don’t got looking for ones to add. After that, I would guess they never bothered asking because it isn’t FLOSS. Regarding Bitegarden specifically, some of their plugins (in addition to presumably being closed-source) do compete. Beyond that, without knowing which 3rd-party commercial plugin you’re talking about, it’s hard for me to guess.

This is a very fair point. In fact, the documentation about adding a plugin to the Marketplace used to live in the docs and we moved it for practical reasons. I’ll see about adding something back in.

 
Thx!
Ann