What other open-source analysers do you use?

Sonar provides powerful static analysis: 4800+ rules over 30 programming languages!

And, both SonarQube and SonarCloud play well with other open-source code analysis tools by allowing developers to Import Third-Party issues, both in formats produced by those tools or via the Generic Issue Import Format.

This means that issues raised by these tools will fit into Sonar’s Clean as you Code methodology: and benefit from features like issue backdating (the issue is considered to have been created at the last commit of a line, not the first time it’s reported to Sonar).

Additionally, this is even Sonar’s recommended way to design custom rules for some languages: such as building custom rules for JavaScript/TypeScript with ESLint and importing the issues.

Are you importing third-party issue reports into Sonar? From which tools? Is Sonar missing support for any that would really help your workflow? Let us know!

3 posts were split to a new topic: Trouble with FortifyVulnerabilityExporter in Sonarqube version 8.9

eslint, tflint, tfsec, pylint.roslyn are the main 3rd party rules we are importing.

The biggest problem with 3rd party support at the moment is that you have no ability to mark specific issues as “False Positive” or “won’t fix” or indeed ideally also to disable some of the rules completely, just as we could with native rules. Going further, to be able to attach descriptions/links to descriptions on the web would be great too.

If you import 3rd party results then violations will always show unless you fix them…and if you never intend on fixing them then they will always show, which isn’t great.

I understand that managing the rules globally (in profiles) might be a harder task but it seems like being able to mark a single instance of a violation as fixed/won’t fix/false positive should be relatively easy to achieve.

Of course it would be ideal if Sonar nativelysupported all the popular rule sets that are in use today for the various languages but that is likely not achievable…however improving the treatment of third party rules should be!

1 Like

Hi @tbutler, do you mind sharing what rules you are using in ESLint along with Sonar?

My apologies - I thought the work to integrate eslint had been done but not yet. but if it helps, the .eslint.js file being used for linting, which will be imported into Sonar at some point, contains this section:

    rules: {
        '@typescript-eslint/explicit-function-return-type': 'off',
        '@typescript-eslint/explicit-module-boundary-types': 'error',
        '@typescript-eslint/interface-name-prefix': 'off',
        '@typescript-eslint/no-explicit-any': showError ? 'error' : 'off',
        '@typescript-eslint/no-use-before-define': 'off',
        '@typescript-eslint/no-unused-vars': ['error', { varsIgnorePattern: '^_', argsIgnorePattern: '^_' }],
        'semi': ['error'],
        'no-multiple-empty-lines': ["error", { "max": 2, "maxBOF": 1 }],
        'eqeqeq': ["error", "always"],
        'getter-return': 'error',
        'no-compare-neg-zero': 'error',
        'quotes': ['error', 'single', { 'avoidEscape': true, 'allowTemplateLiterals': true }],
        '@typescript-eslint/ban-types': ['error', {
            types: {
                Function: false,
                Object: false,
                object: false,
                '{}': false
        '@typescript-eslint/member-ordering': 'error',
        '@typescript-eslint/explicit-member-accessibility': 'error',
        'comma-dangle': 'off',
        '@typescript-eslint/comma-dangle': ['error', 'only-multiline']
    extends: [
1 Like

I’m using Google’s error-prone. In order to manage the rules and the false positives I’ve resorted to make a sonar plugin. Showing the rule description from inside the SonarQube interface really helps (I believe it is not possible when importing third-party issues).

1 Like