I've been reading about SonarQube source code analysis platform and I've been wondering: what about formal methods?
I see that tools such as PMD and FindBugs can be easily integrate since it's architecture promotes the use of plugins. Yet, I do not see abstract interpretation-based analyzers or even anything mentioning formal methods based tools.
I'm wondering if this is related with limitations with the rule-based approach of integrating plugins?
I read that they are improving the semantic analysis of Java, perhaps this can enable formal methods-based approaches...
Anyone has more information on that? Like, if there is any interest in pursing in this direction from the SonarQube team?
Thanks!
Related
Is sonar and veracode serves the same purpose or we can use both tools to scan our applications?
Metrics like, coverage, duplications, bugs and code smells are avilable in sonar but they are not available in veracode. so we need to use both tools or we can scan above mentioned metrics in veracode as well?
Thanks
Each of those tools has a specific focus. Veracode is used for finding security vulnerabilities. SonarQube is used for determining general code quality. SonarQube has some static rules that address some vulnerabilities, but those are limited, and Veracode does much more thorough analysis of security vulnerabilities.
For many years i have used the available linting files provided in the angular projects created through CLI. Mainly TSLINT rules to lint the project.
I have also learnt that even SONARQUBE checks for code quality through a remote server.
But can someone explain what exactly is the main functional difference between USING A LINT FILE vs using SONARQUBE ?
Which system is best to use ?
Or is it we can use both of them together ?
Some differences have been highlighted here.
What is SonarQube?
SonarQube provides an overview of the overall health of your source code and even more importantly, it highlights issues found on new code. With a Quality Gate set on your project, you will simply fix the Leak and start mechanically improving.
What is TSLint?
An extensible static analysis tool that checks TypeScript code for readability, maintainability, and functionality errors. It is widely supported across modern editors & build systems and can be customized with your own lint rules, configurations, and formatters.
Both tools can be classified as static code analysis tool, aiming to find potential problems in your code. TSLint is more customisable w.r.t. coding rules, and SonarQube does more than static code analysis because it also provides feedback on security/vulnerabilities issues.
I'm working on a study around code best practices. And i'm trying to perform some automatic static code analysis on a list of repositories (maven projects) using sonarqube
The problem is that 99% of the repositories need specific steps to build. ( mvn compile is not sufficient), and i can't continue on the pipeline to send the code on Sonarqube..
That why i want to have on-steroid tools to perform code analysis without build (without analyzing managed code). I have found lizard (Lizard is an extensible Cyclomatic Complexity Analyzer for many programming languages). But it doesn't have the same power as Sonarqube.
Is it possible to do that with sonarqube? is there any other tool as powerful as sonarqube?
Thank you!
Want to get a clear thought about why SonarQube should be chosen for code analysis, code review than the tools like ReSharper, Fortify etc. and why it is better than the code analysis features that Microsoft provides?
First of all, you need to understand the purporse of these tools. Sonarqube are focused in code quality, Fortify do scans for code vulnerabilities. For CI/CD environments, it's quite common two tools running on each pipiline deployment, because those analysis are different.
SonarQube won't be necessary "better" then any other code analysis or code review tool. There are tons of tools like SonarQube out there that could do the job for you. The most important things to hold in mind are:
What are your needs according to such a tool?
Are there other constraints, such as demands for the employer you are working for?
This does not take away that SonarQube does a good job in what it is offering, especially the part where you can manage your own rules and profiles.
Also see:
https://www.reddit.com/r/dotnet/comments/6daacw/sonarqube_vs_visual_studio_code_analysis/
Specifically, I want to run some analysis on the issues generated and rules violated. So I want to design the system to have a few click actions in the web interface of sonar and initiate the analysis in the back-end. The reason for this is that the analyses are run only during some cases and I don't want the instance with my plugin to have additional load during each run.
Also if possible could you point me in the right direction?
I couldn't find anything on here. http://docs.sonarqube.org/display/DEV/Web+API
Please note I have been searching this very recently and am also new to SonarQube.
SonarQube server is for performing analysis only. What I was looking was for the server to give the user access to control the analysis. But using independent plugins to do static analysis could work.
I solved this issue by splitting the plugin into
A plugin for doing inline analysis work (if a need for doing our own static analysis arises)
A WebApp to classify issues, listing them by projects, etc.
This approach seemed more attractive when after discussion, we decided that all functions we wanted out widget to do, our WebApp itself could do. From SonarQube version 6.2, the ruby APIs are going to be deprecated and so moving to a REST-based approach would give an enduring solution.