Get me two! PVS-Studio plugin update for SonarQube

12 Aoû 2024

Author: Valerii Filatov

The PVS-Studio plugin for SonarQube has been around for a long time. However, in the latest update, we've turned one plugin into two plugins! This post will explain why it happened, what's new, and what's next.

SonarQube is an open-source platform developed for continuous code quality assurance. It supports numerous programming languages and metrics: code coverage, potential bugs, duplicated code, coding standards, and much more.

PVS-Studio provides a plugin that helps integrate the PVS-Studio reports into SonarQube. It allows users to add analyzer messages to the SonarQube server database and conveniently handle these warnings in the web interface.

Note: you can read more about the PVS-Studio integration into SonarQube in the documentation.

Some time ago, our users informed us that they encountered an error: the PVS-Studio warnings with High and Low levels were missing in the SonarQube report. It seriously confused users.

Unfortunately, we don't have a full-time detective, so if not us, who? We investigated the case and found the problem! The user was using the latest SonarQube version which had some unexpected updates.

Previously SonarQube issues had two attributes: Type (Code Smell, Bug, Vulnerability, Security Hotspot) and Severity (Info, Minor, Major, Critical, Blocker).

However, starting with version 10.2, the developers replaced a five-leveled Severity with Software Quality (Maintainability, Reliability, Security) and an updated Severity (Low, Medium, High), which is called Impact in the API code. When filtering warnings, the deprecated issue types were ignored as Deprecated, so SonarQube set Reliability Medium as a default level for PVS-Studio diagnostic rules, hiding all the detected bugs under one flag.

We rolled up our sleeves and started implementing support for the new API version in our plugin. Something truly magical happened in the end. Now there are two PVS-Studio plugins for SonarQube! We developed each plugin for different SonarQube versions and their corresponding API versions. One plugin is for versions from 7.6 up to 10.1, and the other is for 10.2 and later.

Plus, the plugin for SonarQube 10.2 or later now has distribution for both UI filters for OWASP Top 10 (2017 and 2021). It works if we enable displaying warnings as vulnerabilities.

The PVS-Studio static analyzer 7.32 has been released. Now you can download the plugin for the SonarQube version you need on our website.

Note: if SonarQube does not meet your goals, you can also use PVS-Studio with a DevSecOps platform, DefectDojo. You can learn more in this article.

#DevOps