SonarQube

SonarQube
DeveloperSonar
Initial release2006–2007[1]
Stable release
SonarQube Server Release 2025.1 / Jan 2025
Written inJava
Operating systemCross-platform
TypeStatic code analysis
LicensePartly Proprietary and partly GNU Lesser General Public License
WebsiteOfficial website
Repository

SonarQube is an open-core static code analysis platform developed by Sonar.[2] It scans source code to detect issues like bugs, vulnerabilities and code smells on over 35 programming languages as well as various infrastructure technologies.[3] SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, technical debt, code complexity, comments, bugs, software bill of materials (SBOMs), and security recommendations.[4][5]

Overview

SonarQube analyzes code to detect problems related to software security, reliability, and maintainability.[2] It integrates with DevOps platforms, including GitHub, Bitbucket, Azure, and GitLab.[6] The commercial offerings of SonarQube supports programming languages such as Java (including Android), C#, C, C++, JavaScript, TypeScript, Python, Go, Swift, COBOL, Apex, PHP, Kotlin, Ruby, Scala, HTML, CSS, ABAP, Flex, Objective-C, PL/I, PL/SQL, RPG, T-SQL, VB.NET, VB6, and XML.[7]

Product Family

The umbrella term SonarQube encompasses multiple products:

  • SonarQube Server (formerly known as just SonarQube) is the self-hosted variant of the tool.
  • SonarQube Community Build is a free and open-source build of SonarQube Server that is lacking the proprietary features.
  • SonarQube Cloud (formerly SonarCloud) is a fully managed SaaS solution.
  • SonarQube for IDE (formerly SonarLint) is a summary term for the various IDE plug-ins for Eclipse, Visual Studio, Visual Studio Code, Cursor, Windsurf, and IntelliJ IDEA.[8]
  • SonarQube Advanced Security is a licensable feature that extends the code security capabilities to support scanning third-party open source code.[9]

Features

Advanced Static Application Security Testing (SAST)

Advanced SAST, included in SonarQube Advanced Security, detects vulnerabilities that stem from the analyzed code interacting with third-party open-source dependencies[10] for Java, C#, and JavaScript/TypeScript code.[11][12]

Software Composition Analysis (SCA)

SCA, included in SonarQube Advanced Security lists known vulnerabilities (CVEs) in third-party dependencies, generates software bill of materials (SBOMs) and enforces open source license policies.[10][13]

AI Code Assurance

AI Code Assurance detects code created in GitHub projects by GitHub copilot and applies a separate static analysis rule set to this code.[14][15]

AI CodeFix

AI CodeFix automatically generates suggestions to fix issues detected by static code analysis within the IDE plugins or in SonarQube Cloud and Server.[14]

Secrets Detection

Secrets Detection flags secrets in source code, both in code repositories and the supported IDEs, for example, passwords, application programming interface (API) keys, encryption keys, tokens, database credentials.[16][10]

See also

References

  1. ^ "History | SonarSource". www.sonarsource.com.
  2. ^ a b "Sonar Bets On AI Code Automation With AutoCodeRover Acquisition". Forbes. February 24, 2025.
  3. ^ "Supported languages | SonarQube Server | Sonar Documentation". docs.sonarsource.com. Archived from the original on 2026-02-28. Retrieved 2026-04-02.
  4. ^ "Sonar" (PDF). Methods and Tools. Vol. 18, no. 1. 2010-03-01. pp. 40–46. ISSN 1661-402X. Retrieved 2017-08-29.
  5. ^ Campbell/Papapetrou, Ann/Patroklos (2013). Sonar (SonarQube) in action. Greenwich, Connecticut, USA: Manning Publications. p. 350. ISBN 978-1617290954.
  6. ^ "DevOps platforms | SonarQube Cloud | Sonar Documentation". 2026-02-12. Retrieved 2026-04-02.
  7. ^ "Multi-Language - SonarQube". Retrieved 2021-01-25.
  8. ^ "Sonar Streamlines Product Naming to Reflect Core Mission of Code Quality and Security". Retrieved 2024-12-14.
  9. ^ Blanchard, Sydney (March 11, 2025). "Sonar Ushers in Support for Third-Party, Open Source Code Analysis and Security". Database Trends and Applications.
  10. ^ a b c Blanchard, Sydney (March 11, 2025). "Sonar Ushers in Support for Third-Party, Open Source Code Analysis and Security". Database Trends and Applications.
  11. ^ Tan, Aaron (September 11, 2024). "How Sonar is elevating code quality in the age of AI". Computer Weekly.
  12. ^ Barron, Jenna (August 2, 2023). "Sonar's new SAST tool includes support for thousands of open-source libraries". SD Times.
  13. ^ Vizard, Mike (March 11, 2025). "Sonar Combines SAST and SCA Tools in Single Offer". DevOps.com.
  14. ^ a b Gillin, Paul (October 3, 2024). "Sonar now inspects AI-generated code for glitches". SiliconANGLE.
  15. ^ Simone, Stephanie (January 27, 2025). "Sonar Empowers Developers with SonarQube Server LTA Release to Integrate AI in the Software Development Lifecycle". Database Trends and Applications.
  16. ^ Vizard, Mike (December 18, 2023). "Sonar Adds Secrets Detection to Code Analysis Portfolio". DevOps.com.
This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.