Give me two! Update of PVS-Studio plugin for SonarQube

The PVS-Studio plugin for SonarQube has been working for a long time, but in the latest update the plugin turned into two plugins. In this note, we will tell you why this happened, what has changed, and how to live with it.

SonarQube is an open source platform for continuous code quality assurance that supports multiple programming languages ​​and provides reports on a wide range of metrics: code coverage, potential errors, code duplication, standards compliance, etc.

Actually, there is our plugin for integrating PVS-Studio analysis results into SonarQube. It allows you to add analyzer messages to the SonarQube server message base and conveniently manage these warnings in the Web interface.

Note: You can read more about integrating PVS-Studio into SonarQube in documentation.

Some time ago, our user encountered a problem, which he immediately reported to us: PVS-Studio warnings with the High and Low level tag were missing from the SonarQube report, which created serious confusion when viewing it.

Unfortunately, we don't have a full-time detective, so we set about investigating why this could happen ourselves. And eventually we found the problem! It turned out that the user was using a fresh version of SonarQube, which had some unexpected changes.

Previously, in SonarQube, rules had two separate characteristics: Type (Code Smell, Bug, Vulnerability, Security Hotspot) and Severity (Info, Minor, Major, Critical, Blocker).

But starting with version 10.2, instead of one Severity consisting of five levels, there appeared Software Quality (Maintainability, Reliability, Security) and a new Severity (Low, Medium, High), which is called Impact in the API code. When filtering warnings, the old characteristics were ignored as Deprecated, so SonarQube for PVS-Studio diagnostics set Reliability Medium as the default level, hiding all the bugs found under one flag.

We rolled up our sleeves and started implementing support for the new API version in our plugin, and something truly magical happened as a result of solving this problem. Now there are two PVS-Studio plugins for SonarQube! Each of them is designed for different versions of SonarQube and the corresponding API versions. One plugin is for versions starting from 7.6 and ending with 10.1, and the other is for 10.2 and higher.

In addition, in the plugin for SonarQube versions higher than 10.2, when enabling the display of warnings as vulnerabilities, a distribution for both OWASP Top 10 UI filters (2017 and 2021) appeared.

With the release of version 7.32 of the PVS-Studio static analyzer, you can now download the plugin for the SonarQube version you need on our website.

Note: And if for some reason SonarQube does not suit you, then PVS-Studio also integrates into the DefectDojo DevSecOps platform, which you can read about in this article.

If you would like to share this article with an English-speaking audience, please use the translation link: Valerii Filatov. Get me two! PVS-Studio plugin update for SonarQube.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *