What is Reddit's opinion of
SonarQube?
From 3.5 billion Reddit comments
➔ SonarQube website
By popularity on Reddit, this Service is:
22 reviews of this app found across Reddit:
Look into sonarqube.
There's a free thing. Push your code up to it. Read the smells, bugs, issues, etc. Learn why certain things are a problem, or probably a problem.
SonarQube is a free tool that does exactly this.
Fortify also does it but licenses are so expensive that my company won't even pay for one when SonarQube is there for free. We tell our customers that if they want our code fortify scanned they can provide the license or do it themselves.
That's actually a fairly difficult question to answer. The first step is understanding what you are actually trying to prevent. SQL injection? Denial of service attacks? Privilege escalation (in the sense of changing data that the caller shouldn't be able to? Once you have an idea of what you're trying to address, then you can look at your code and figure out how *you* (having a far greater understanding of any vulnerabilities than an outside attacker) would try and manipulate your system.
Since you mentioned already having a CI pipeline in place, you might consider something like SonarQube. It is an open source static code analyzer that looks for common problems in both coding style, (and to an admittedly lesser degree) obvious security issues. In fact there are several products that range from this sort of SCA to apps that will actively perform penetration scans.
If you can give us an example of what sort of service you'd be interested in securing, we might have better answers. The tech stack you're using would help a lot. Are you writing to a database and you're concerned about people changing data? Reading sensitive information you want to limit access to?
The way you phrased that question reminds me of a lot of IA people I've worked with. Someone has said "go make it secure!", but without actually trying to define the problem space or what you are trying to prevent.
Concrete examples can go a long way towards making sure we're all talking about the same concepts.
Haven't really noticed the polymorphism Intellisense suggestions.
Rather finds duplicate code. Potential bugs and nulls. Security Holes. And then improvements and suggested refactoring on some methods - it has really good prompts. Maintained or derived from SonarQube I believe - https://www.sonarqube.org/
SonarQube is the first one that comes to mind. If you want a simple method for setting it up locally for testing, take a look at my Vagrant script here:
We're in the process of switching to Sonarqube (https://www.sonarqube.org/) for our C# projects since it's free and gives some useful information on things like code coverage, smells, and vulnerabilities. You can also tweak the built-in definitions to customize them for your needs. We've set up jobs in Jenkins that run the task as part of our CI pipeline. Hope this helps!
i'm pretty sure resharper is a superset of the built-in analysis features. it's also an industry staple. so, i'd probably recommend using that since you have access to it.
if you want to run analysis on check-ins, you can check out https://www.sonarqube.org/. it seemed pretty good at c# analysis and doesn't cost any money. some people like seeing the weekly reports with test coverage and such.
Linting has mostly to do with code formatting and style. It's a good reminder to check and test their code before pushing.
SonarQube (formerly Sonar) looks for code smells, security no-no's and common bugs. It also shows you all kinds of statistics and breakdowns by project / file / contributor / whatever. It's a pretty nifty tool; it's also pretty effective at keeping egos in check.
I guess SonarQube might be inline with what you’re looking for.
>u/SonarSource·promotedAutomatically detect Security Vulnerabilities and Security Hotspots during your code review. Write the most efficient code possible with SonarQube.
.t3_z=gAAAAABh6Z3fs-BG3Mnm_c4APB37nVNjCb3tP1U8ZevzgYzY9MnHVwoWg5LaTgmuaSOOF1iWKRkZkh9dw7DRQetMZ0ibyLHPmhUHeCJ4PC0zYF3nAMCEtxMO2ea00qtElEkw4h4TXN_wshZymmmB8dFIJ9K-dMWViZzqqnkEjTpEHAYQ6WZ9mKzmOL7tDocCj_ZO3NWVHGU8vH8xf-pbI7JWsZBx3nvGUq9JBgpo8T6yJo-rhWJ0en428LRdgAgf8J-sQvrrfIAOm1UTnHrVxmMLQHjRT8k2WspDoRqgIo-v_RJiakXTJHeQ6-VOrkLOLaWyoRYd7tPbaj4WVmOICXv7dRjL3JJ1uWMIFq3xfQ-4W7TJWa4MxuXrlasiBOGHkxYdYIibw1Y79LLzLh-uR2Bw23U3FvH86-AYyp4xfbjSIQpoGzRKMX7vTB6Rjm41BJaO2quZFIP5s7Xxmjp6eshmhfown0JlwkB2DVxe1mv-FSDnN5xSaqUgQGvWubjoVozGXCFZ0AlxNyq9bjeCTNhgEq-fe9afYNdTuH9Z8fehYiVeBIBjlZ_bUAlLmGyIOZZ8sWas4o3GmGIhdjUbz1Qy6Bq1KGu7dCiTki3ltbld-dcemiyvLaw9ZJSzrj0qGZDi1-gLCHonf8Bl8DbEbhx23E6ke42nH56L6lgWnD2ah15i4Ul5aloUWA50JKXF9QFArQeRj2reIl1qyT45ZkRN5jScBiZe-HQaC9v8VH2BcVcgRPoZLSY3ovGjaigU3_o9R073LnS37q3Vas0b3sbco7hUTXvNTWFqqxSbBCFllUF_oB0Tp6VoS_ZNW2kCCh_sMMJv6AjN9FkSmRC2KtueBhy2B4LaLxR1unTcFV0JZIZOfpdCHdKlTjFDwh444n65iQWAehqKDZpszSlYsdY5i5CkC6qyydW4csMDrC2PF3S2mrTRv5uOCkDVFoJ6ZQXkbFFIgdD_Wj9YUSIERp-a2-v63VppCv5rn3RcLTDSKiM09R7pwStLCQxgoNlK5RxljNAtfEBzYZV_hb_gg7mxZJFuorxsuBbr8faX1bA5sODtGr9IHOeg_X6TCdgsIMEfKJJIQII2tSKrINIv34XYLTbMEKFlavMgQSNnCpm9dFW1-5Fspso5uKZM-mBO82BNApEP-ren7v_-HKCTrVqiouh4PCJkLAIG1dytA2u9OxADrZYXfEU4v-0wZLR22ig76Y1aQ7O7dt3PPgobvl4dL_Pi0ADa7guiTA0wLlUkuKlIeDw7k89zCpn1VdOPHTuxPQZ5Y7_Z48X5cyzDBEi5w9t_5YvqNAP_t7WNyhjR-SDuwbaG0hqtPEtFxd45o_YV9Kk73VKMRvnOShf1wl4Qi9R7X6kM62a4X9vVVC5OL1J7iV4D82RAgj2ZZ0JUDYmnDCuY9_17wlA6dtjY6oQKB-s_WZ6w7LJnz_2gVGq1S1qSRkUu6QOyYh6YlzKiGGdUa4Zkdb3ubdsjO1Ca2hwVJ1mpMmsDJdhTwqZs1lA_6k6BzadaCoTSpnAdsazd3ucdfjDbfMvQ ._2FCtq-QzlfuN-SwVMUZMM3 {
--postTitle-VisitedLinkColor: #9b9b9b;
--postTitleLink-VisitedLinkColor: #9b9b9b;
}
https://www.sonarqube.org/down...Download
Thank you!
Well, you have SonarLint that does that part, and then you pair them together.
It is not a combination I'm personally very happy with though. I find Sonarqube to be a bit "heavy", and it is clear that SonarQube is a fairly mature product at this point.
For example, with Checkstyle and SpotBugs it seems like you execute through Maven or Gradle - the build system. While Sonarqube executes through the IDE and pipeline.
My dream linter/code quality checker would be something that: - Can leave in-line comments on pull requests for feedback and not a "summary" comment that SonarQube leaves (soft quality gate). - Integrate with IDE and/or build system (preferably both). - Do changes on save/build/commit, but must be customizable (for example if the team decides that if statements must always have brackets). - Customizable rules through a simple format such as JSON or YAML. - Being able to import rules from SonarQube. - Support test coverage, and hopefully be able to provide in-line feedback on that.
I haven't looked that much at Checkstyle or SpotBugs, if they check these boxes then let me know :)
If your only testing 10% of your code how do you expect the other 90% to be bug free? Work on increasing your coverage with unit tests and integration tests.
We unit test 80% of the code but if there is nothing worth testing we don't enforce it. It's a rough guideline.
We write integration tests which run in our build pipelines so we know we didn't break any of the previous features.
Look into static analysis like SonarQube ( https://www.sonarqube.org/ ). You can run it locally on your machine for free. It will point out code smells and potential bugs.
As for the rest, think about the things you can control. Your test coverage is something you can control. Improve the coverage, improve the quality of tests. After that, if things are still a shieet show, get out. If they won't give you time to test the quality of the system, get out.
When I am alone on a project and nobody can review my code (I'm senior dev though), I use tools that perform static code analysis like Sonarqube.
Most modern IDE like Visual Studio or Intelij Idea have static code analysis integrated or you can add additional extensions.
Congratulations for doing this.
I am just putting out there Sonarqube as a hosted server, as you said you could not find anything else
https://www.sonarqube.org https://github.com/SonarSource/sonarqube
A mix of checkstyle, PMD and SonarQube.
Work everywhere and have plugins for all major IDEs.
The point of UML diagrams is that humans have an easier time seeing the big picture behind your code because it is easy to lose yourself in details if you just read the code.
The diagrams are not necessarily better suited to be analyzed automatically than the code itself. But there are tools to evaluate the design aspect of code (specifically cohesion, coupling, complexity). One that I know of and used at work for a few projects already is SonarQube.
There are existing code review tools out there that use some of these libraries but they are all aimed at a different market (devs not recruiters).
I'm using SonarQube. It's a static source code analyzer which is what you might be looking for. They offer a cloud solution and its free for open source projects: https://sonarcloud.io/
If it finds anything it also often tells you how to fix it. I've integrated it into my Github repo and it's super nice as it analyzes every pull request automatically.
>Is there an easy way to switch, or will it be a case of reinstalling?
Only a matter of getting the right Edition package (and license if needed), and just launching it on top of the same database/dataset.
In my opinion, the first thing to do, is writing clean , well commented code (following coding conventions basically) so debugging, checking or rereading the code will be easy and thus any mistake will be obvious.
Pay a good attention when Coping-Pasting piece of codes.
Check and verify libraries (third-party ones, mostly*)* you intend/want to use in your project, they might not be secure.
Tests do minimize code errors, hence can maximize security.
There are already plenty of tools that check your code for vulnerabilities, like SonarQube.
​
The PSR's are mainly about formatting. A style guide can also include:
- naming conventions for all language elements.
- maximum number of lines per class/method, method arguments, *use*d classes etc. to indicate complexity.
- coding conventions, like only 1 return per method, or all literals should be constants.
Think about tools to help you, like automatic formatting for consistency. And static analysis tools to check the rules you decide on. I like SonarQube for this, but there are others.
It wouldn't have taken them more than a few seconds to discover that https://www.sonarqube.org/ exists as an existing static analysis tool for Java (and other languages). You would have thought they would have picked a name that wouldn't get easily confused with another project.