I am trying to find a documentation on how to setup OWASP project https://www.owasp.org/index.php/OWASP_SonarQube_Project to setup it for SonarQube. I tried to find in available plugins but i couldn't find anything related to it. I read few documentation and little bit confused how to use OWASP to SonarQube.
I have SonarQube 5.6 version. Can anyone help me to understand how to setup OWASP in SonarQube.
Thanks,
There is no plugins to add. All the rules of your langage you have in SonarQube are tagged "cwe, owasp, bug" or something like this.
You could setup a profile with all the rules you want to check and name it "OWASP profile".
BTW, actually the OWASP SonarQube project was closed. And nothing more will be done on it.
Related
In the documentation (https://docs.sonarqube.org/latest/extend/adding-coding-rules/#header-1) TypeScript isn't listed as a supported language for custom rules but JavaScript is. Because of this is it possible to use the JavaScript runner to execute custom TypeScript rules?
If not, is anyone aware of how to do more advanced rules with tslint or is there an alternative to SonarQube that would allow it?
for SonarQube visit here and here, it will help you.
and I found this, it’s not possible, the concept of external issues
appeared in SonarQube 7.2. Upgrade to the new LTS 7.9
Dear SonarQube Community,
I have a general question regarding is it possible to write a plugin that will extend the Issue View? See screenshot and its red marks.
I looked at the API for Plugin Development and didn´t find a part where I can do that.
I want to develop for SonarQube 6.x
Thank you!
Felix
There is no ability to extend this part of the UI.
I see a big difference in the look & feel between the online dashboard (https://sonarqube.com/projects or https://sonarqube.com/governance?id=MASTER_PROJECT) and the one that we see by default on our local installation of sonar (v5.6.3).
I'm wondering about whether the online look & feel can in someway be easily applied to a local installation. It's just a matter of css/js or behind we have also a completely different HTML structure?
Any information about this will be much appreciated.
I think I've found the answer to my question. The nice-looking online demo is based on an Enterprise Grade deployment of sonar with the governance plugin.
https://www.sonarsource.com/why-us/products/plugins/governance.html
https://www.sonarsource.com/solutions/deployments/enterprise-grade/
Can't you update your install to the latest version? There have been UI changes in both version 6.0 and 6.1
http://www.sonarqube.org/sonarqube-6-0-in-screenshots/
http://www.sonarqube.org/sonarqube-6-1-in-screenshots/
We are trying to install a CI Platform with (Jenkins,sonar,eclipse ...).
So that every developer can make analysis on his code before commit, I'm wondering between two alternatives :
running local analysis with the sonar plugin.
install the different plugins that sonar use (findbug,pmd,checkstyle ...) and configure them to meet the sonar configuration.
I'm not sure which alternative to use? I used to work with findbugs,pmd, checkstyle in eclipse and they look great.
Can you tell me which is the best alternative?
Thanks in advance.
Regards.
With Sonar plugin you can manage the violations like:
Create a review
Mark a violations as false positive or fixed
View the hot classes and hot violations
View yours reviews
If you use separate plugins you have to go sonar web to do that.
The great advance of sonar is the reviews.
Other question is how many projects you have and will have. I currently work with more than 70 projects and many profiles. Is more simple to me run analysis with one plugin, because I need just add the server and find the project. With other plugin you need add the link for each project in each plugin configuration.
Why not install the Sonar Eclipse plugin?
This was designed to solve the following problems:
Sonar does not support parallel analysis of the same project. This issue rules out the option of each developer running Sonar locally. (See SONAR-2761, SONAR-3306)
You don't really want developers uploading metrics and source code into the Sonar database. They could be working on an uncommitted workspace and would therefore cause both inaccuracies and confusion if Sonar is being used for code review.
Sonar is really designed to be run from a continuous integration server (like Jenkins), building code that has been submitted onto a shared codestream (or branch)
The big advantages of using the Eclipse plugin are:
True local analysis, no updates of the Sonar database
Configuration of the other tools is retrieved from the Sonar server and jars automatically downloaded.
Centralized management of Sonar quality profiles
I'd like to create a report in Sonar for the most actively edited files. I've looked around but can't find a plugin to do this. Any suggestions would be appreciated.
If relevant, my team uses AccuRev for SCM, and Sonar v2.14
Thanks in advance
Unfortunately, there's currently no plugin that meets your need (at least none that I'm aware of).
I could have suggested you to develop your own plugin based on the metrics generated by the SCM Activity Plugin, but Accurev is not supported so you would have to start from scratch :-/