« Blog Home

What’s in SonarQube for Developers and R&D Managers?

 

SonarQube is a static code analysis tool that helps developers improve the quality of their codebase by detecting potential issues, code smells, security vulnerabilities and technical debt.

developers using sonarqube

I’m frequently asked how SonarQube helps developers and R&D managers on their daily tasks, so I decided to write an article that sums up all points and benefits.

First, I’ll explain the issue in high level and then include details (separate by different SonarQube editions).

Also note we have a detailed sheet with all functionality in SonarQube (separate by editions and filterable + sortable) you can download here.

How SonarQube helps developers – in high level:

SonarQube helps developers with several aspects of their job:

  • Code Quality: SonarQube acts like a code coach, analyzing developers’ work for bugs, potential security vulnerabilities (in commercial editions), and areas that could be written more efficiently. This helps developers catch issues early and write cleaner, more maintainable code.
  • Improved Efficiency: By identifying problems early, SonarQube saves developers time by preventing them from spending hours debugging complex issues later in the development cycle.
  • Skill Development: SonarQube’s feedback helps developers of all levels understand best practices and make better coding decisions. It empowers developers and can be a valuable tool for continuous learning.
  • Teamwork: SonarQube helps enforce consistent coding standards across a team. This makes code easier for everyone to understand and reduces the time spent deciphering someone else’s work.

How SonarQube helps developers – in details:

SonarQube is offered in 4 different editions, while developers and R&D managers can enjoy all functionality starting from Enterprise edition (the 3rd edition out of 4).

Let’s see main functionality offered in each edition: 

 

What’s in the Community Edition for developers?

That edition is free open source and it offers the following:

1. Core of SonarQube

and 60+ plugins.
You have a variety of plugins made for SonarQube (some are free while you have to pay for some others). You may also build your own plugins (and we can build it for you).

2. Scanning Code languages (static code analysis)

Community edition supports a basic scanning of 16 languages:
Java, JavaScript, C#, Terraform, TypeScript, Kotlin, Ruby, Go, Scala, Flex, Python, PHP, HTML, CSS, XML, VB.NET

3. Scanning the master (main) branch only

Scan the master (main) git branch.

Note you can’t scan other branches (e.g. feature branches) using the community edition, so you can’t apply “Shift Left” methodology using that edition.

4. SonarLint (basics)

SonarLint helps you get notifications about code issues and bugs, in real time, into the developers’ IDE (e.g. IntelliJ / VS Code) – which helps them develop more “clean code”.
Watch a quick demo:

Note: SonarLint cannot be configured in that version (You can do so in the Developer Edition as explained below)

 

What’s in SonarQube Developer Edition for developers?

Developer Edition offers all in Community edition PLUS:

  1. Branch Analysis

You can scan any branches you want – e.g. task or feature branches (rather than the main [master] branch only), so you can detect problems much earlier – even before the code is merged upstream to main branches

  1. Pull Request Decoration & Analysis

This enables you to integrate SonarQube with your version control tools and add SonarQube analysis and a Quality Gate to your Pull Requests (or Merge Requests) in your ALM / DevOps provider’s interface, including GitLab, GitHub, Bitbucket and Azure DevOps.
It helps you get fast feedback (of scanning results) into the dashboard.

pull merge request decoration sonarqube gitlab
Illustration: Pull (Merge) request decoration with SonarQube and GitLab. Click to enlarge
  1. Code Security Analysis / Capabilities

Security scanning with a variety of rules for each code language – e.g. detection of injection flaws
(our spreadsheet [download here] specifies how many rules you have for each language)

Note: the Community (free) Edition does not scan for security vulnerabilities

  1. Extra SonarLint Capabilities (e.g. smart notifications)

In this version it’s possible to configure and receive Smart Notifications (not available in Community free Edition),
so if you (as a developer) use SonarLint through your IDE, you can configure and receive notifications.
For example: You can receive a message if you have not passed the Quality Gates.

Note: SonarLint in the Community (free) Edition does not scan languages that are not supported in the free version (e.g. C, C++ and others as detailed below)

  1. Supporting more Languages:

Developer Edition also scans the following code languages:

  1. C
  2. C++
  3. Objective-C
  4. PL/SQL
  5. ABAP
  6. TSQL
  7. Swift

Developer Edition supports 24 code languages in total.

 

What’s in SonarQube Enterprise Edition for developers and R&D managers?

The Enterprise Edition offers all in Developer edition PLUS:

  1. Supporting more Languages

Enterprise Edition also scans the following code languages:

  1. Apex (of Salesforce)
  2. Cobol
  3. PL/1
  4. RPG
  5. VB 6 (Visual Basic)

SonarQube Enterprise Edition supports 29 code languages in total.

2. Portfolio and Reporting

This feature is useful when you have many projects. It shows you the projects status in high-level (which is often needed by development managers, team managers, CTOs, etc.).

This also enables you to aggregate projects by groups so you can visualize the information and makes it much more clear and readable.

Relevant features here:

  • Aggregation of projects. For instance, you can decide what to group together according to criteria that you decide, e.g. common code language; legacy projects; groups ; teams etc.
  • You can automate the report and send it by email (as a PDF report)
Watch a demo (2 min):

3. Security Reports

Security reports are available in Enterprise edition only.
Those reports help you get faster feedback and fix security vulnerabilities much faster.
SonarQube helps you see your security posture by OWASP Top 10 and CWE Top 25 standards.

For example:

sonarqube security reports
Security Reports (click to enlarge) 

4. Security Hotspot + Security Vulnerabilities

Security Hotspots are code areas where SonarQube highlights suspicious code snippets that developers need to check (because there might be vulnerabilities).

See an example (click to enlarge):

sonarqube security hotspot
Security Hotspot (Hashing data is security-sensitive)

That feature also helps improve developers’ development skills and empower them: as they write code and find out hotspots, they learn about security risks and best practices on how to prevent them.

Security Vulnerabilities require immediate attention. SonarQube provides a detailed description and highlights thre relevant code, which helps to understand what the risk is in the given code.
For example (click to enlarge):

sonarqube security vulnerabilities
Identify the problematic code and provide a solution on how to solve it (in this case: use a key length that provides enough entropy against brute-force attacks. For the RSA algorithm it should be at least 2048 bits long)

5. Parallel Processing of Analysis Reports

Enables you to manage scans and reports in parallel. This is useful if you have to run many scans and reports.
You can run up to 10 workers in parallel.

 

FAQ (Frequently Asked Questions):

  • Q: What’s the pricing of SonarQube?
    A: SonarQube pricing depends on several parameters:
    Edition type (as explained above in the article);
    The amount of lines of code you have
    Whether you take customer support
    Contact us to get exact pricing and quotes: sonarqube@almtoolbox.com or call us
  • Q: I’m using a code language supported by the Community (Free) Edition (e.g. Java or C#).
    Does it mean I get all the capabilities of SonarQube?
    A: No. If you use the free edition you have access to features available in Free Community Edition only.
    For instance: if you use Java (that’s available in free edition) you won’t get security rules; No branch analysis; No reports, etc.

ALM-Toolbox is an official distributor of SonarQube and provides consulting, SonarQube and SonarCloud licenses, implementation, training, managed services and help customers to integrate SonarQube with business flows and CI/CD pipelines.
Contact us for any questions including pricing and quotes: sonarqube@almtoolbox.com or call us: 866-503-1471 (USA / Canada) or +972-722-405-222 

Related Links: