-
Notifications
You must be signed in to change notification settings - Fork 38
Comparison with SonarQube
SonarQube
It is a Code Quality Assurance tool that collects and analyzes source code, and provides reports for the code quality of your project. It combines static and dynamic analysis tools and enables quality to be measured continually over time. Everything from minor styling choices, to design errors are inspected and evaluated by SonarQube.
GitHub Link : SonarQube
SonarQube is written in java but it can analyze and manage code of more than 27 programming languages, including c/c++, PL/SQL, Cobol etc through plugins. Plugins extend the functionality of SonarQube. More than 50 plugins are available.
Currently supported Language list
| Java | Go | Scala | PL/SQL |
|---|---|---|---|
| C# | Swift | HTML | RPG |
| C | COBOL | CSS | T-SQL |
| C++ | Apex | ABAP | VB.NET |
| JavaScript | PHP | Flex | VB6 |
| TypeScript | Kotlin | Objective-C | XML |
| Python | Ruby | PL/I |
-
Architecture and Design
-
Unit tests
-
Duplicated code
-
Potential bugs
-
Complex code
-
Coding standards
-
Comments
SonarQube Server comprising of the following processes: Web Servers for developers which allows managers to browse quality snapshots and configure the SonaQube instances
Search Server based on Elastic search to back searches from the UI
Compute engine server in charge of processing code analysis reports and saving them in the SonarQube database
SonarQube Database which stores:
* The configuration of the SonarQube instance
* The quality snapshots of projects, views, etc.
SonarQube plugins installed on the server, possibly including language, SCM, integration, authentication, and governance plugins SonarScanners running on Build/Continuous integration servers to analyze a project.
| Feature/Critiria | SonarQube |
|---|---|
| Supported language | Support for 20+ language including, C, C++, Java, Javascript, PHP, GO, Python |
| flexibility of scanning | Since many querying mechanism are already integrated with application less flexibility for adding extra query methods or alter existing queries |
| Complexity | Mostly UI based, less complex |
| User friendliness status | User friendly |
| Language knowledge/mandatory prerequisite | only info requried is to the steps to run application/scanning |
CodeQL
CodeQL basically an analysis engine used by developers to automate security checks and security researchers for various analysis on vulnerabilities. This tool is developed by GitHub to automate security checks.
There are three Major components.
- The Engine
- The Database
- The Queries
The core component that performs the core functionality. This includes everything from the lexical analysis lexing/tokenizing of the code, generating an Abstract Syntax Tree (AST), and generating the Control-Flow Graphs (CFG) & Data Flow Graphs (DFG).
During the parsing stage, CodeQL creates and stored all of the required data about the code which it needs to have for the analysis in a Database. This generates a large amount of data and facts about your codebase that can be used to query and identify items and flows in the code, such as security vulnerabilities.
Both the Engine and Database working closely together in the form of the CLI
The Queries or QL (Query Language) are where developers or (security) researchers define what parts of the code they want to identify (Sources and Sinks) and create configurations for data flows to return the specified flows in an application they are looking for. CodeQL Queries are, at there core, a way of querying data from a CodeQL Database to return a set of result.
| Feature/Criteria | CodeQL |
|---|---|
| Supported language | Currently supporting 7 language. C/C++ C# Go Java JavaScript/TypeScript Python Ruby |
| flexibility of scanning | Fairly good amount flexibility as query is set up by the user |
| Complexity | Complex, command line based. |
| User friendliness | less user friendly due to its complex set up and way of usage. |
| Language knowledge/mandatory prerequisite | Need good knowledge in writing Codeql queries. |