What’s on the SonarQube radar?
Last updated October 2018.
If you’ve got questions, join in the discussion on our community.
Detection of proven vulnerabilities
SonarQube started 10 years ago as a way to measure the maintainability of source code and manage its technical debt. Over the past couple of years, we worked hard to go further and detect real bugs. This achievement was made possible thanks to the addition of cross-procedural data flow analysis within files. Nowadays, SonarQube can detect memory leaks, advanced cases of null pointer dereferences, conditions that are always true or false regardless of the execution path etc.
The next step is to detect proven vulnerabilities and especially the ones relating to the OWASP Top 10 categories. Starting from the user entry points of the applications, the main challenge is to detect the unsafe user inputs which flow into some sensitive actions (construction of: SQL requests, directory paths, command lines, …) without being first sanitized. This move will make SonarQube a full SAST (Static Application Software Test) solution.
Update: check-out the SonarQube 7.2 announcement for our first milestone in the detection of injection vulnerabilities.
Support several additional programming languages
It is a key point of our value proposition to help you make any piece of code clean, reliable and safe. So, our solution should cover all major programming languages out-of-the-box. There are already 20 supported languages but some popular languages like Go, Kotlin, Scala, Apex, … are missing. Our commitment is to fill this gap, starting with Go and Kotlin.
Update: Go is supported since SonarQube 7.2, Kotlin and CSS made it in SonarQube 7.3, Ruby is supported since SonarQube 7.4, and Scala and Apex made it in SonarQube 7.5! More coming in the future!
Tight integration with ALM solutions
More and more, teams are using solutions like GitHub, BitBucket, Microsoft Azure DevOps (rebranded from VSTS), and GitLab to manage the development of their projects. Those solutions offer source code management, ticket management, build processes (except for GitHub), and pull requests. These are the worlds where development teams spend their lives - and those teams expect SonarQube to be there too!
While SonarQube already offers some integration in those solutions, most of these are very light and could offer far more advanced features to make development teams’ lives easier. There are 3 main domains on which we intend to provide the best user experience possible for those solutions: access to quality information, ease of code analysis setup, and pull request decoration.
Quality information on dashboards
Because development teams spend a lot of their time in those solutions, they expect to see the main quality indicators right there on their project dashboards. Something looks strange? Then the developer is just a click away from the powerful and detailed SonarQube web UI to dig further and understand what’s not going well.
Easy setup of code analysis
Configuring a build definition to trigger a SonarQube analysis might not be straightforward at first - especially if you are new to this world. Those third-party solutions all have ways to simplify the creation and management of build processes: launching a SonarQube analysis should be as simple as the other parts of those builds. This might mean helping you define secured SonarQube end-points, automatically passing the relevant information to the scanners, downloading the relevant tools under the hood - anything to save time!
Pull request decoration
Pull requests are probably the most powerful feature brought by these solutions. A pull request is a collaborative space that gets created on top of a feature branch to let a team review code, discuss concerns and make sure that in the end, everybody’s happy with the changes, and that they can be merged. What is more natural than expecting SonarQube to also give its quality-oriented feedback in this space? The kind of automatic code reviewer that will make you feel safe when you press the “Merge” button: you won’t break the quality gate!
Update: SonarQube can decorate Pull Requests since SonarQube 7.2, and the experience is being continuously improved since then.
Always up-to-date projects
Have you ever noticed discrepancies between the figures you see on your project homepage and the ones you have when you drill down into issues? Like you see “5 Bugs” on the project homepage, but when you click the link and end up on the Issues page only 4 bugs are visible? This behavior is due to the fact that manual changes on issues are taken into account only during the next analysis.
We want SonarQube to always give you an up-to-date view of your project - including whatever manual changes were made through the Web application or the WS API. No more need to wait for a new analysis to see the quality gate turn green if what was blocking it was marked “Won’t fix”! Obviously, all those manual changes will fire the relevant notifications and trigger the appropriate webhooks - if any, so your wallboards and other systems will always be up to date too.
Update: since SonarQube v7.0, the Quality Gate and overall Project data is up-to-date as soon as you update the status of any issue in SonarQube. No need to run a new analysis!
And portfolios and applications too!
The Governance feature allows you to gather projects into higher level entities: applications - a functional grouping of technical projects, and portfolios - a mapping of the organizational structure of a company. The executive-oriented, high-level indicators produced by Governance are currently updated when a refresh is triggered by some external system (usually a CI job), independent of project analysis. The consequence is that, depending on the frequency of this externally-triggered refresh task, those high-level indicators are imprecisely synchronized with the current status of the relevant projects.
The version of Governance compatible with the next LTS will get rid of the need to trigger this refresh, and update portfolio and application indicators as soon as one of the underlying projects has been updated. This way, there is no need to set up an external process to trigger portfolio calculation, and no wondering if what you are seeing in SonarQube is up to date or not.
Update: Applications and Portfolios are updated in real-time since SonarQube v7.1!
Developer space and gamification
From the very beginning, SonarQube was developed by developers, for developers. We truly believe that code quality should be owned by them, not pushed by management or blindly dictated by some QA team. However, when a developer logs into SonarQube, little is really related to her own work. Almost everything relates to the quality of the project she’s working on, and so to the team she’s working in. Basically, the only things that really relates to her are “My Issues”. Not only does this not reflect her development activity, but it points only to the “bad” things she’s doing.
With SonarQube 7, a developer will get a page where he sees all his contributions, including all the positive impacts he’s made recently on his projects - like the number of bugs fixed in his last few commits. On top of this activity feed, he will also get aggregated data on his work - like his overall coverage rate over the last six months. This page will give him a better overview of his own positive impact on code quality.
A very powerful way to create engagement is gamification. This is particularly true in software development - the most famous example being Stackoverflow, the Q&A website known by developers all around the world.
SonarQube 7 will grant points to users for every positive impact that they see on their “My Activity” page. Those points will allow them to rank themselves against their teammates, creating the friendly competition that one can expect from such gamification process.
Each positive action will also lead to achievement badges that will be visible on the developer page. Be ready to see some “Coverage Ninja” or “Bug Killer” icons!