Scribd Logo
Upload

Welcome to Scribd!

  • SonarQube Training - Overview Session

    Uploaded by

    Steeve Paladin
    3 views35 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views35 pages

    SonarQube Training - Overview Session

    Uploaded by

    Steeve Paladin

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 35

    SonarQube Training

    Session #1 - Overview
    A journey in the land of code quality and security

    @sonarsource | © SonarSource 2015-2022


    Agenda
    Session #1 - Overview

    ● SonarSource’s approach to Code Quality and Security


    ● The Clean As You Code paradigm
    ● Security overview
    ● Demo of SonarSource’s own production SonarQube platform
    ● Demo of SonarLint
    ● Platform walkthrough: Show your production platform, how you
    configured and used it so far
    ● Q&A
    SonarSource’s approach
    To code quality and security
    History
    SonarSource SonarQube 6.7 LTS SonarQube 8.9 LTS

    ● SonarSource ● Branches ● RIPS acquisition


    created ● Data Center Edition ● More SAST
    ● SonarCloud ● Docker & K8S
    ● More DevOps
    integration

    2007 2008 2016 2017 2019 2021

    Sonar 1.0 SonarQube 5.6 LTS SonarQube 7.9 LTS

    ● First SonarQube ● Clean As You Code ● SAST


    version (aka “Water Leak”) ● PR decoration
    Our Team
    Germany: 19

    US: 62
    Switzerland: 191
    (HQ)

    France: 22
    A lively community

    360,000+
    live platforms

    https://community.sonarsource.com
    Software (and SonarQube) is everywhere
    Customer diversity is good for our rules
    Aerospace & Defence Automotive E-commerce Energy

    17’000+
    commercial
    customers
    Financial Services Healthcare Media Public Sector

    Transport & Logistics Retail Technology Telecommunications


    Our mission

    Every developer and development


    team uses SonarSource for
    code quality and security
    SonarQube Quality Model
    Security
    Vulnerabilities &
    Hotspots

    Analysis
    Reliability Complexity
    Potential Bugs

    Maintainability
    Technical Debt - Code Smells
    Key Feature - Quality Gate
    Key Feature - Clean As You Code

    ● Track new issues


    New Code
    ● Compute metrics on new code
    ○ Coverage
    ○ Duplications

    Legacy Code
    Key Feature - SAST

    ● Detect Injection
    vulnerabilities
    ● SonarQube UI shows tainted
    data flow
    ● OWASP / SANS reporting
    ● Other vulnerabilities
    (data exposure, poor
    practices)
    ● New Security Hotspots
    Key Feature - Branch & PR support
    Key Feature - Documented rules
    Key Feature - Language coverage
    Key Feature - In IDE analysis
    Key Feature - DevOps integration
    SCMs

    CI Tools Authentication

    Build Tools IDEs


    Clean As You Code
    Fundamentals
    Caveats of traditional approaches
    Risk of
    functional
    regression

    Developer
    Fix “easy” old pushback
    issues, not “difficult” ● Not my code
    new ones ● Too many
    issues
    ● Boring!

    Huge legacy debt


    Where to find
    budget? Resistance to
    evolution of
    Quality Profiles
    What is best practice?
    You take personal responsibility for your code
    Huge legacy debt
    Avoid being overwhelmed
    A lot of
    work here

    Not so much
    there
    Huge legacy debt
    Get rid of budget considerations

    1511 days =
    between $400K
    and $1200K
    Compensation
    SonarQube will not let you fix an old issue to compensate for a new one

    You may fix But you MUST fix


    some of these these

    ...also, be
    careful of
    functional New issues are much
    regression more dangerous than
    here! old ones: their
    runtime effect is
    unpredictable
    Developer Push Back
    Issues assigned to developers that creates them

    Blame data
    determines who
    added or
    modified this
    code

    Issue assigned to
    corresponding
    Sonar user
    Quality Profile evolution
    Making it easier to raise the bar or use new rules from new SQ versions

    Significant increase in
    old code issues

    Low or no increase in
    new code issues

    My project with old quality profile Same project with upgraded profile
    Cleaning up the legacy code
    Development lifecycle will renew old code into cleaner new code

    1 YEAR WITH 5 YEARS WITHE


    TODAY

    Existing
    Existing
    Code
    Existing Code
    Code Base Base Clean Base
    Clean Code
    Code
    20%
    50%

    Before SonarSource, the Every year, ~20% of the code In five years, SonarSource
    existing code base will base is changed; usage will systematically
    contain an unknown SonarSource is the Quality clean at least 50% of the
    percentage of bad code Gate for all new code code base
    Going further
    Shift left and shorten the feedback loop

    On-the-fly Feature branch/ Main/Release


    analysis PR analysis branch analysis

    2 sec 15 min 24h


    Security overview
    Security
    What we do and don’t do

    In the
    Primarily for
    SAST DevSecOps
    Developers
    pipeline
    Auditors

    Specific
    DAST SCA Fast !
    process
    Security: What we detect
    OWASP Top 10 Security Risk Categories

    A1 A2 A3 A4

    Injection Broken Auth Data Exposure XXE

    A5 A6 A7 A8

    Broken Access Security XSS Insecure


    Control Misconfiguration Deserialization

    A9 A10

    Components with Insufficient Logging


    Vulnerabilities & Monitoring
    Security in 8.9 LTS
    Languages coverage and evolution
    Web and Common Apps System & Embedded
    ● Injection (taint) vulnerabilities ● Buffer overflow Vulnerabilities
    ● Non injection vulnerabilities ● Other non-injection Vulnerabilities
    ● Security Hotspots ● Security Hotspots
    Vulnerabilities
    Fix Security Risks
    Security Hotspots
    Review Security-sensitive code
    Demo
    Platform
    walkthrough

    You might also like