VOOZH about

URL: https://en.wikipedia.org/wiki/Sonar_(software_quality)

⇱ SonarQube - Wikipedia

Jump to content
From Wikipedia, the free encyclopedia
(Redirected from Sonar (software quality))
Open-source platform for continuous inspection of code quality
This article contains promotional content. Please help improve it by removing promotional language and inappropriate external links, and by adding encyclopedic text written from a neutral point of view.See our advice if the article is about you and read our scam warning in case someone asks for money to edit this article. (October 2020) (Learn how and when to remove this message)
SonarQube
👁 Image
👁 Image
A SonarQube project homepage
DeveloperSonar
Release2006–2007[1]
Stable release
SonarQube Server Release 2025.1 / Jan 2025
Written inJava
Operating systemCross-platform
TypeStatic code analysis
LicensePartly Proprietary and partly GNU Lesser General Public License
WebsiteOfficial website
Repository

SonarQube is an open-core static code analysis platform developed by Sonar.[2] It scans source code to detect issues like bugs, vulnerabilities and code smells on over 35 programming languages as well as various infrastructure technologies.[3] SonarQube offers reports on duplicated code, coding standards, unit tests, code coverage, technical debt, code complexity, comments, bugs, software bill of materials (SBOMs), and security recommendations.[4][5]

Overview

[edit]

SonarQube analyzes code to detect problems related to software security, reliability, and maintainability.[2] It integrates with DevOps platforms, including GitHub, Bitbucket, Azure, and GitLab.[6] The commercial offerings of SonarQube supports programming languages such as Java (including Android), C#, C, C++, JavaScript, TypeScript, Python, Go, Swift, COBOL, Apex, PHP, Kotlin, Ruby, Scala, HTML, CSS, ABAP, Flex, Objective-C, PL/I, PL/SQL, RPG, T-SQL, VB.NET, VB6, and XML.[7]

Product Family

[edit]

The umbrella term SonarQube encompasses multiple products:

  • SonarQube Server (formerly known as just SonarQube) is the self-hosted variant of the tool.
  • SonarQube Community Build is a free and open-source build of SonarQube Server that is lacking the proprietary features.
  • SonarQube Cloud (formerly SonarCloud) is a fully managed SaaS solution.
  • SonarQube for IDE (formerly SonarLint) is a summary term for the various IDE plug-ins for Eclipse, Visual Studio, Visual Studio Code, Cursor, Windsurf, and IntelliJ IDEA.[8]
  • SonarQube Advanced Security is a licensable feature that extends the code security capabilities to support scanning third-party open source code.[9]

Features

[edit]

Advanced Static Application Security Testing (SAST)

[edit]

Advanced SAST, included in SonarQube Advanced Security, detects vulnerabilities that stem from the analyzed code interacting with third-party open-source dependencies[10] for Java, C#, and JavaScript/TypeScript code.[11][12]

Software Composition Analysis (SCA)

[edit]

SCA, included in SonarQube Advanced Security lists known vulnerabilities (CVEs) in third-party dependencies, generates software bill of materials (SBOMs) and enforces open source license policies.[10][13]

AI Code Assurance

[edit]

AI Code Assurance detects code created in GitHub projects by GitHub copilot and applies a separate static analysis rule set to this code.[14][15]

AI CodeFix

[edit]

AI CodeFix automatically generates suggestions to fix issues detected by static code analysis within the IDE plugins or in SonarQube Cloud and Server.[14]

Secrets Detection

[edit]

Secrets Detection flags secrets in source code, both in code repositories and the supported IDEs, for example, passwords, application programming interface (API) keys, encryption keys, tokens, database credentials.[16][10]

See also

[edit]

References

[edit]
  1. ^ "History | SonarSource". www.sonarsource.com.
  2. ^ a b "Sonar Bets On AI Code Automation With AutoCodeRover Acquisition". Forbes. February 24, 2025.
  3. ^ "Supported languages | SonarQube Server | Sonar Documentation". docs.sonarsource.com. Archived from the original on 2026-02-28. Retrieved 2026-04-02.
  4. ^ "Sonar" (PDF). Methods and Tools. Vol. 18, no. 1. 2010-03-01. pp. 40–46. ISSN 1661-402X. Retrieved 2017-08-29.
  5. ^ Campbell/Papapetrou, Ann/Patroklos (2013). Sonar (SonarQube) in action. Greenwich, Connecticut, USA: Manning Publications. p. 350. ISBN 978-1617290954.
  6. ^ "DevOps platforms | SonarQube Cloud | Sonar Documentation". 2026-02-12. Retrieved 2026-04-02.
  7. ^ "Multi-Language - SonarQube". Retrieved 2021-01-25.
  8. ^ "Sonar Streamlines Product Naming to Reflect Core Mission of Code Quality and Security". Retrieved 2024-12-14.
  9. ^ Blanchard, Sydney (March 11, 2025). "Sonar Ushers in Support for Third-Party, Open Source Code Analysis and Security". Database Trends and Applications.
  10. ^ a b c Blanchard, Sydney (March 11, 2025). "Sonar Ushers in Support for Third-Party, Open Source Code Analysis and Security". Database Trends and Applications.
  11. ^ Tan, Aaron (September 11, 2024). "How Sonar is elevating code quality in the age of AI". Computer Weekly.
  12. ^ Barron, Jenna (August 2, 2023). "Sonar's new SAST tool includes support for thousands of open-source libraries". SD Times.
  13. ^ Vizard, Mike (March 11, 2025). "Sonar Combines SAST and SCA Tools in Single Offer". DevOps.com.
  14. ^ a b Gillin, Paul (October 3, 2024). "Sonar now inspects AI-generated code for glitches". SiliconANGLE.
  15. ^ Simone, Stephanie (January 27, 2025). "Sonar Empowers Developers with SonarQube Server LTA Release to Integrate AI in the Software Development Lifecycle". Database Trends and Applications.
  16. ^ Vizard, Mike (December 18, 2023). "Sonar Adds Secrets Detection to Code Analysis Portfolio". DevOps.com.

External links

[edit]
Categories:
Hidden categories: