A leak is never fun. If a pipe bursts in your house, and your floor is getting ruined, should you try to find a mop, or look for a way to fix the leak?

The same logic applies to making your code  more maintainable, reliable and secure. During the Sonar Summer City Tour 2016 (#ssct2016), that is the message from SonarSource.

The company’s product aims to analyze an application’s source code, so that quality is baked into it from the time development starts, to the time that the final product is delivered to your end clients.

How is that quality expressed? It can be summarized like this:

Analyze code, without executing it, by symbolically executing all possible paths. Share on X Some of the ingredients in the secret sauce of the SonarAnalyzers include lexical, syntactic and semantic analysis and symbolic execution. Translation: you don’t have to deal with the overhead cost of running a full  analysis, in order for SonarQube to tip you off that your application could face some serious performance, security and other problems.

To illustrate, you could take this famous sentence in order to perform the 3 kinds of analyses on it:

Only 2 things are infinite, the universe and human stupidity, and I am not sure about the former.
-Albert Einstein

3 Key takeaways from Olivier Gaudin

  • Co-Founder, Olivier Gaudin,  reported that Sonar’s main 3 product goals are maintainability, reliability, and security.
  • How: SonarLint, PR Analysis (pull request from TFS and Git) in order to gauge production readiness, SonarQube(.com)
  • To that end, their focus areas are the Long-Term Support products (LTS), governance, scalability, SonarAnayzers, and SonarQube.com.

For now SonarLint’s Microsoft support only covers C# and VB.NET. No word yet on how soon that might change.

Roadmap

Throughout the day, I picked the brains of the leadership team: two of the co-founders, product manager Ann Campbell, and Eli Goodrich, the NYC-based product evangelist. Here’s what’s on tap:

As of the June Release

  • Sonar version 5.6 has the ability to aggregate data at various levels (team, department, or other level ). Perfect for management reporting!  
  • Language plugins are now referred to as SonarAnalyzers.
  • If you use Sonar Runner, it doesn’t need to be upgraded in version 5.6.
  • The SQALE rating has been deprecated, replaced by the maintainability rating inside the governance plugin.
  • The new project homepage shows what happens from the last release to the current release: code smells, duplications, bugs, and security vulnerabilities.

 

Over the Next 1 to 2 Years

  • Branch support is coming! The user community has been asking, and Sonar plans to release an MVP later this year.
  • As you probably suspect, the newer security plugin is making progress, and a more viable version will be available next summer. It would not be able to replace a tool like Fortify for probably a good two years from now.
  • At this time, a Sonarqube instance would launch the web server, elastic search, and compute engine all at once. In the future it will be clustered, but won’t conserve state. A public rollout of www.SonarQube.com will target small Dev teams who use GitHub. 

For Further Exploration

If you have yet to implement any kind of consistent analysis of your organization’s source code, or if you’re not yet convinced of its value, Sonar makes some information freely available.

Visit https://jira.sonarsouece.com/browse/RSPEC to see all the rules descriptions, why they exist. There are examples of compliant and non-compliant code examples, because there’s no point in telling you something is wrong, without giving you cues on how to fix it.

If you need to adhere to any particular industry standards, such as ISO, you can also find out how Sonar rules are mapped to the ones of interest to you. You can even search a rule like CWE-212 to see all Sonar rules that reference it. (CWE = common weakness enumeration).

There may be other analyzers in the market, but there’s a reason that Sonar is ahead of the pack.