How hard to develop a free C/C++ plugin for SonarQube?

911 views
Skip to first unread message

dave.w...@owasp.org

unread,
Feb 3, 2016, 9:39:55 AM2/3/16
to SonarQube, Dave Wichers
I was wondering how hard it would be to create such a plugin?  I notice there is a commercial plugin from SonarSource, which includes proprietary rules, so I understand why they might charge for it. But, it would be nice if there was a free plugin for those languages with no rules. And then free/commercial static analysis tool results for those languages could be imported into SonarQube if plugins for those tools were developed, such as Fortify, Coverity, CLANG, or whatever.
 
Any clue how hard it would be to create a free plugin to support these languages, without any of the proprietary SonarQube rules for those languages? I understand in general, that to recognize C/C++ files, we'd need a plugin that declares the language and its file extensions. And then to import other tools' results - with or without the commercial plugin - we'd need a plugin that registers the relevant rules, reads the tool reports and raises issues appropriately.
 
To do this, couldn't someone port an existing free plugin for another language to support C/C++ pretty easily? I would assume that registering rules, raising issues, declaring a language and its file extensions, etc. would all be pretty general capabilities that are very similar from one language to another.
 
Another option would be for SonarSource to split their existing commercial plugin so they support the language for free, and just charge for the rules. That would be the ideal solution in my opinion. Would SonarSource be amenable to doing that? If not, would the ecosystem easily/naturally support 2 plugins for the same languages (a free and commercial one) or would that cause serious problems?
 
Thanks, Dave
 

arjen.v...@gmail.com

unread,
Feb 3, 2016, 11:08:50 AM2/3/16
to SonarQube, dave.w...@aspectsecurity.com, dave.w...@owasp.org

Not sure if you know this, but there is a free C++ plugin. https://github.com/SonarOpenCommunity/sonar-cxx
Compared to Java it is a bit more complex to use, but it works very well. I have no experience with the paid C++ plugin so I can't compare them.
Also their community is pretty active and open for questions.



Op woensdag 3 februari 2016 15:39:55 UTC+1 schreef dave.w...@owasp.org:

Freddy Mallet

unread,
Feb 3, 2016, 4:20:15 PM2/3/16
to dave.w...@owasp.org, SonarQube, Dave Wichers
FYI @Dave, Coverity has developed a SonarQube plugin : https://github.com/coverity/coverity-sonar-plugin

For Fortify, I would expect HP to do the same thing.

At SonarSource, we're progressively moving away from this integration pain to remain focused on what is our core business : developing some valuable and easy to use quality issues/bugs detection engines (most of them open source and free) and the platform to efficiently manage those issues. 

Freddy

--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/623ec620-7b84-4cae-a2b4-3f995761d4cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Freddy MALLET | SonarSource
Product Director & Co-Founder
http://sonarsource.com

Dave Wichers

unread,
Feb 3, 2016, 4:47:34 PM2/3/16
to Freddy Mallet, dave.w...@owasp.org, SonarQube, arjen.v...@gmail.com

Arjen just told me about: https://github.com/SonarOpenCommunity/sonar-cxx

 

Does the Coverity plugin require either this C++ plugin? Or the SonarSource C++ plugin, or is it standalone on its own?

 

When you say "Moving away from this integration pain" I'm not sure what you mean. Does that mean you are planning to offer a C/C++ plugin for free (possibly without any rules?). So tools from HP or whomever that have analyzed C/C++ code can import their results into SonarQube?

 

I'm sorry if I don't really understand what your response means with respect to plugins for C/C++ in SonarQube.

 

-Dave

 

From: Freddy Mallet [freddy...@sonarsource.com]
Sent: Wednesday, February 03, 2016 4:20 PM
To: dave.w...@owasp.org; SonarQube
Cc: Dave Wichers
Subject: Re: How hard to develop a free C/C++ plugin for SonarQube?

Freddy Mallet

unread,
Feb 3, 2016, 4:59:08 PM2/3/16
to Dave Wichers, dave.w...@owasp.org, SonarQube, arjen.v...@gmail.com
Hi @Dave,

Sorry if my first answer was not crystal clear :): No we don't plan to provide a kind of light free C/C++ plugin allowing to plug any external rule engines. About the SonarQube Coverity plugin, the question should be asked to Coverity. 

Kind regards
Freddy



To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/440672306123B941B0D58570B6F2B46946115BFE%40WINSRV08R2-EX1.aspectsecurity.local.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages