SonarQube Training

Session #1 - Overview
A journey in the land of code quality and security

@sonarsource | © SonarSource 2015-2022

Agenda
Session #1 - Overview

● SonarSource’s approach to Code Quality and Security

● The Clean As You Code paradigm
● Security overview
● Demo of SonarSource’s own production SonarQube platform
● Demo of SonarLint
● Platform walkthrough: Show your production platform, how you
configured and used it so far
● Q&A
SonarSource’s approach
To code quality and security
 History
SonarSource SonarQube 6.7 LTS SonarQube 8.9 LTS

● SonarSource ● Branches ● RIPS acquisition

created ● Data Center Edition ● More SAST
● SonarCloud ● Docker & K8S
● More DevOps
integration

2007 2008 2016 2017 2019 2021

Sonar 1.0 SonarQube 5.6 LTS SonarQube 7.9 LTS

● First SonarQube ● Clean As You Code ● SAST

version (aka “Water Leak”) ● PR decoration
Our Team
Germany: 19

US: 62
Switzerland: 191
(HQ)

France: 22
A lively community

360,000+
live platforms

https://community.sonarsource.com
Software (and SonarQube) is everywhere
Customer diversity is good for our rules
Aerospace & Defence Automotive E-commerce Energy

17’000+
commercial
customers
Financial Services Healthcare Media Public Sector

Transport & Logistics Retail Technology Telecommunications

Our mission

Every developer and development

team uses SonarSource for
code quality and security
SonarQube Quality Model
Security
Vulnerabilities &
Hotspots

Analysis
Reliability Complexity
Potential Bugs

Maintainability
Technical Debt - Code Smells
Key Feature - Quality Gate
Key Feature - Clean As You Code

● Track new issues

New Code
● Compute metrics on new code
○ Coverage
○ Duplications

Legacy Code
Key Feature - SAST

● Detect Injection
vulnerabilities
● SonarQube UI shows tainted
data flow
● OWASP / SANS reporting
● Other vulnerabilities
(data exposure, poor
practices)
● New Security Hotspots
Key Feature - Branch & PR support
Key Feature - Documented rules
Key Feature - Language coverage
Key Feature - In IDE analysis
Key Feature - DevOps integration
SCMs

CI Tools Authentication

Build Tools IDEs

Clean As You Code
Fundamentals
 Caveats of traditional approaches
Risk of
functional
regression

Developer
Fix “easy” old pushback
issues, not “difficult” ● Not my code
new ones ● Too many
issues
● Boring!

Huge legacy debt

Where to find
budget? Resistance to
evolution of
Quality Profiles
What is best practice?
You take personal responsibility for your code
 Huge legacy debt
Avoid being overwhelmed
A lot of
work here

Not so much
there
Huge legacy debt
Get rid of budget considerations

1511 days =
between $400K
and $1200K
 Compensation
SonarQube will not let you fix an old issue to compensate for a new one

You may fix But you MUST fix

some of these these

...also, be
careful of
functional New issues are much
regression more dangerous than
here! old ones: their
runtime effect is
unpredictable
 Developer Push Back
Issues assigned to developers that creates them

Blame data
determines who
added or
modified this
code

Issue assigned to
corresponding
Sonar user
Quality Profile evolution
Making it easier to raise the bar or use new rules from new SQ versions

Significant increase in
old code issues

Low or no increase in
new code issues

My project with old quality profile Same project with upgraded profile
 Cleaning up the legacy code
Development lifecycle will renew old code into cleaner new code

1 YEAR WITH 5 YEARS WITHE

TODAY

Existing
Existing
Code
Existing Code
Code Base Base Clean Base
Clean Code
Code
20%
50%

Before SonarSource, the Every year, ~20% of the code In five years, SonarSource
existing code base will base is changed; usage will systematically
contain an unknown SonarSource is the Quality clean at least 50% of the
percentage of bad code Gate for all new code code base
Going further
Shift left and shorten the feedback loop

On-the-fly Feature branch/ Main/Release

analysis PR analysis branch analysis

2 sec 15 min 24h

Security overview
Security
What we do and don’t do

In the
Primarily for
SAST DevSecOps
Developers
pipeline
Auditors

Specific
DAST SCA Fast !
process
Security: What we detect
OWASP Top 10 Security Risk Categories

A1 A2 A3 A4

Injection Broken Auth Data Exposure XXE

A5 A6 A7 A8

Broken Access Security XSS Insecure

Control Misconfiguration Deserialization

A9 A10

Components with Insufficient Logging

Vulnerabilities & Monitoring
Security in 8.9 LTS
Languages coverage and evolution
Web and Common Apps System & Embedded
● Injection (taint) vulnerabilities ● Buffer overflow Vulnerabilities
● Non injection vulnerabilities ● Other non-injection Vulnerabilities
● Security Hotspots ● Security Hotspots
Vulnerabilities
Fix Security Risks
Security Hotspots
Review Security-sensitive code
Demo
Platform
walkthrough