Top 50 SonarQube Interview Questions with Answers

SonarQube Interview Questions with Answers

1. What is SonarQube?

A. A coding tool
B. A testing tool
C. A code analysis tool
D. A project management tool

Answer: C

2. What language(s) does SonarQube support?

A. Java
B. Python
C. PHP
D. All of the above

Answer: D

3. What plugins can you install in SonarQube?

A. Cobertura
B. PMD
C. FindBugs
D. All of the above

Answer: D

4. What is a plugin in SonarQube?

A. A collection of rules and metrics for code analysis
B. A tool to manage users and permissions in SonarQube
C. A module to integrate SonarQube with your code repository
D. A visualization tool for code coverage reports

Answer: A

5. What types of issues can SonarQube find and report?

A. Security vulnerabilities
B. Code smells
C. Bugs
D. All of the above

Answer: D

6. What is a code smell in SonarQube?

A. A violation of good coding practices
B. A security vulnerability
C. A bug in the code
D. A performance bottleneck

Answer: A

7. How does SonarQube calculate code coverage?

A. By measuring the number of lines of code executed during testing
B. By measuring the number of test cases written
C. By analyzing the code and reporting on the percentage of code coverage
D. By measuring the number of bugs discovered during testing

Answer: C

8. What is the purpose of a quality gate in SonarQube?

A. To set the quality standards for a project
B. To track the progress of a project
C. To verify that a project meets certain quality criteria
D. To generate reports on a project’s code quality

Answer: C

9. Can SonarQube integrate with Jenkins?

A. Yes
B. No

Answer: A

10. What is the purpose of the SonarLint plugin?

A. To perform code analysis in an IDE
B. To generate reports on code coverage
C. To manage users and permissions in SonarQube
D. To visualize code quality reports

Answer: A

11. Can SonarQube analyze code written in C++?

A. Yes
B. No

Answer: A

12. What is the purpose of the SonarQube Runner?

A. To install SonarQube on a server
B. To perform code analysis on a project
C. To manage plugins in SonarQube
D. To configure quality gates in SonarQube

Answer: B

13. What is the purpose of the SonarQube web dashboard?

A. To configure the SonarQube server
B. To display project metrics and code quality reports
C. To manage user permissions in SonarQube
D. To generate code coverage reports

Answer: B

14. Can SonarQube analyze code written in Ruby?

A. Yes
B. No

Answer: A

15. What is the purpose of the SonarQube Scanner?

A. To generate code coverage reports
B. To visualize code quality reports
C. To perform code analysis on a project
D. To manage plugins in SonarQube

Answer: C

16. Can SonarQube integrate with Git?

A. Yes
B. No

Answer: A

17. What is the purpose of the SonarQube API?

A. To configure the SonarQube server
B. To perform code analysis on a project
C. To manage user permissions in SonarQube
D. To integrate SonarQube with external systems

Answer: D

18. Can SonarQube analyze code written in .NET languages such as C# and VB.NET?

A. Yes
B. No

Answer: A

19. What is the purpose of the SonarQube Issues report?

A. To display all issues found during code analysis
B. To track the progress of a project
C. To manage user permissions in SonarQube
D. To configure quality gates in SonarQube

Answer: A

20. Can SonarQube analyze code written in JavaScript?

A. Yes
B. No

Answer: A

21. What is the purpose of the SonarQube portfolio management plugin?

A. To manage users and permissions in SonarQube
B. To track the progress of multiple projects
C. To visualize code quality reports
D. To generate code coverage reports

Answer: B

22. Can SonarQube analyze code written in Swift?

A. Yes
B. No

Answer: A

23. What is the purpose of the SonarQube token authentication plugin?

A. To manage users and permissions in SonarQube
B. To configure quality gates in SonarQube
C. To integrate SonarQube with external systems
D. To perform code analysis on a project

Answer: A

24. Can SonarQube integrate with GitHub?

A. Yes
B. No

Answer: A

25. What is the purpose of the SonarQube Measurer plugin?

A. To perform code analysis on a project
B. To track the progress of a project
C. To generate code coverage reports
D. To visualize code quality reports

Answer: C

26. Can SonarQube analyze code written in TypeScript?

A. Yes
B. No

Answer: A

27. What is the purpose of the SonarQube CI/CD plugin?

A. To generate reports on code coverage
B. To configure quality gates in SonarQube
C. To perform code analysis in a CI/CD pipeline
D. To manage users and permissions in SonarQube

Answer: C

28. Can SonarQube integrate with Jenkins Pipeline?

A. Yes
B. No

Answer: A

29. What is the purpose of the SonarQube Quality model plugin?

A. To manage users and permissions in SonarQube
B. To configure quality gates in SonarQube
C. To track the progress of a project
D. To perform code analysis on a project

Answer: B

30. Can SonarQube analyze code written in Kotlin?

A. Yes
B. No

Answer: A

31. What is the purpose of the SonarQube LDAP plugin?

A. To manage users and permissions in SonarQube
B. To track the progress of a project
C. To perform code analysis on a project
D. To generate code coverage reports

Answer: A

32. Can SonarQube integrate with Azure DevOps?

A. Yes
B. No

Answer: A

33. What is the purpose of the SonarQube Java plugin?

A. To perform code analysis on Java projects
B. To visualize code quality reports
C. To generate code coverage reports
D. To perform code analysis on Python projects

Answer: A

34. Can SonarQube analyze code written in Scala?

A. Yes
B. No

Answer: A

35. What is the purpose of the SonarQube Squid plugin?

A. To perform code analysis on a project
B. To generate code coverage reports
C. To visualize code quality reports
D. To manage users and permissions in SonarQube

Answer: A

36. Can SonarQube integrate with Bitbucket?

A. Yes
B. No

Answer: A

37. What is the purpose of the SonarQube XPath plugin?

A. To perform code analysis on a project
B. To generate code coverage reports
C. To manage users and permissions in SonarQube
D. To visualize code quality reports

Answer: A

38. Can SonarQube analyze code written in Go?

A. Yes
B. No

Answer: A

39. What is the purpose of the SonarQube Jenkins plugin?

A. To configure quality gates in SonarQube
B. To manage users and permissions in SonarQube
C. To integrate SonarQube with Jenkins
D. To perform code analysis on a project

Answer: C

40. Can SonarQube analyze code written in Rust?

A. Yes
B. No

Answer: A

41. What is the purpose of the SonarQube Checkstyle plugin?

A. To track the progress of a project
B. To perform code analysis on a project
C. To generate code coverage reports
D. To manage users and permissions in SonarQube

Answer: B

42. Can SonarQube integrate with GitLab?

A. Yes
B. No

Answer: A

43. What is the purpose of the SonarQube JUnit plugin?

A. To manage users and permissions in SonarQube
B. To generate code coverage reports
C. To perform code analysis on a project
D. To track the progress of a project

Answer: B

44. Can SonarQube analyze code written in Groovy?

A. Yes
B. No

Answer: A

45. What is the purpose of the SonarQube Fortify plugin?


A. To perform code analysis on a project
B. To generate code coverage reports
C. To manage users and permissions in SonarQube
D. To visualize code quality reports

Answer: A

46. Can SonarQube integrate with TFS?

A. Yes
B. No

Answer: A

47. What is the purpose of the SonarQube SwiftLint plugin?

A. To perform code analysis on Swift projects
B. To manage users and permissions in SonarQube
C. To visualize code quality reports
D. To generate code coverage reports

Answer: A

48. Can SonarQube analyze code written in Objective-C?

A. Yes
B. No

Answer: A

49. What is the purpose of the SonarQube JIRA plugin?

A. To manage users and permissions in SonarQube
B. To configure quality gates in SonarQube
C. To integrate SonarQube with JIRA
D. To perform code analysis on a project

Answer: C

50. Can SonarQube integrate with Azure Pipelines?

A. Yes
B. No

Answer: A

How can we do the security analysis using SonarQube?

security-analysis-using-sonarqube

How can we do the Security analysis using SonarQube?

For Security analysis purposes, a source code security analyzer
– examines source code to
– detect and report weaknesses that can lead to security vulnerabilities.

 

They are one of the last lines of defense to eliminate software vulnerabilities during development or after deployment. A Source Code Security Analysis Tool Functional Specification is available.

 

The SonarQube Quality Model has three different types of rules: Reliability (bug), Vulnerability (security), and Maintainability (code smell) rules. But divided another way, there are only two types: security rules, and all the rest.

 

To be clear, the standard for most rules implemented in SonarQube language plugins is very strict: no false positives. For normal rules, you should be able to be confident that whatever is reported to you as an issue really is an issue.

 

The vast majority of security-related rules originate from established standards: CWE, SANS Top 25, and OWASP Top 10. To find rules that relate to any of these standards, you can search rules either by tag or by text.

 

CWE – Common Weakness Enumeration (CWE™) is a formal list or dictionary of common software weaknesses that can occur in software’s architecture, design, code or implementation that can lead to exploitable security vulnerabilities.

 

SANS Top 25 – The SANS Top 25 list is a collection of the 25-most dangerous errors listed in the CWE, as compiled by the SANS organization.

 

OWASP Top 10 – OWASP stands for Open Web Application Security Project.The OWASP Top 10 is a list of broad categories of weaknesses, each of which can map to many individual rules.

 

XANITIZER – XANITIZER provides an integration with the code quality management platform SonarQube. It transfers all security relevant XANITIZER findings to SonarQube. It is possible to display this data in the SonarQube dashboard and the corresponding drilldown pages and time machines.

 

Reference
Tagged : / / / /

SonarQube Upgrade, Backup and Restore Process | SonarQube Tutorial

sonarqube-upgrade-backup-and-restore-process

 

SonarQube Upgrade, Backup and Restore Process

 

Today I will share the steps to upgrade from the SonarQube version 5.X to SonarQube version 6.X. We have upgrade guide which can be found http://docs.sonarqube.org/display/SONAR/Upgrading but its not complete guide thus I am sharing the steps as follows which can be followed for the production server as well.  As practice shared on the oficial guide that before upgrading to the next major release, you must upgrade to know LTS e.g
Example 1 : 4.2 -> 6.1, migration path is 4.2 -> 4.5.7 LTS -> 5.6 LTS -> 6.1
Example 2 : 5.1 -> 5.6, migration path is 5.1 -> 5.6

 

Upgrading across multiple versions is handled automatically. However, if in your migration path you have an LTS version, you must first migrate to this LTS and then migrate to your target version.

 

Remember that SonarQube upgrade procedure does not have a rollback procedure, so it is mandatory that you take a full backup of the system before performing the upgrade.

 

Process 1: Steps to Take a Full Backup of SonarQube Server?

Step 1 – Stop the production server
Windows
%SONARQUBE_HOME%/bin/windows-x86-32/StopNTService.bat
Linux
$SONAR_HOME/bin/linux-x86-64/sonar.sh stop
Step 2 – Backup the production database e.g mysql db
> mysqldump –opt -Q -h localhost -u username–password=’password’ databasename | gzip -9 > databasename.gz
Also, there is one tool which has been available to take the backup of database.
Step 3 – Backup the $SONAR_HOME directory
> zip -r Sonar_home.zip $SONAR_HOME
Step 4 – List of plugins installed
Be mindful that $SONAR_HOME/extensions/plugins directory where you can get the list of plugins installed.
Step 5 – List of custom coding rules installed
Be mindful that $SONAR_HOME/extensions/rules directory where you can get the list of custom coding rules.
Step 6 – List of configurations used
Be mindful that $SONAR_HOME/config directory where you can get sonar.properties and wrapper.conf file which has all the current configurations and setup.
Step 7 – Re-start the production server
Windows
%SONARQUBE_HOME%/bin/windows-x86-32/StartSonar.bat
Linux
$SONAR_HOME/bin/linux-x86-64/sonar.sh start
Step 8: Keep the Sonar_home.zip and databasename.gz to the safe location.

 

Process 2: SonarQube server Upgrade process.

Following are the steps to be followed to upgrade the SonarQube server.
Step 1: Stop your old SonarQube Server.
Step 2: Install/Configure a most latest version of SonarQube 
Install/Configure a most latest version of SonarQube Server in another location. The instructions is shared here (https://docs.sonarqube.org/display/SONAR/Installing+the+Server)
Step 3: Install the your required plugins/extensions compatible with your version of SonarQube. The Instructions is shared here.(https://docs.sonarqube.org/display/SONAR/Installing+a+Plugin)
Step 4: Update the contents of sonar.properties and wrapper.conf files (in NEW_SONARQUBE_HOME/conf) with the settings of the related files in the OLD_SONARQUBE_HOME/conf directory (web server URL, database, ldap settings, etc.). Do not copy-paste the old files.
If you are using the Oracle DB, copy its JDBC driver into NEW_SONARQUBE_HOME/extensions/jdbc-driver/oracle
Step 5: Start your new SonarQube Server
Windows
%SONARQUBE_HOME%/bin/windows-x86-32/StartSonar.bat
Linux
$SONAR_HOME/bin/linux-x86-64/sonar.sh start
Step 7: Verify the SonarQube Upgrade.

 

Note – SonarQube as a Linux or Windows Service
If you use external configuration, such as a script or Windows Service to control your server, you’ll need to update it to point to NEW_SONARQUBE_HOME.
In case you used the InstallNTService.bat to install SonarQube as a Windows Service, run the OLD_SONARQUBE_HOME/bin/…/UninstallNTService.bat before running the InstallNTService.bat of the NEW_SONARQUBE_HOME.
If you install SonarQube with Sql Server, it is better to chose Latin1_General_CS_AS as collation to avoid problems.

 

Some Well known Troubleshooting after upgrades.
Issues – Sonarqube upgrade 5.6 to 6.1, test coverage measue is missing
Solution – You might be missing the sonar.java.binaries. Sonar-5.6 did not need those.
Issues – Some unknown issues
Solution – Whenever you have problem with SonarQube do not forget to read the log, because only in the log you can understand the real cause of errors.

 

Reference
Tagged : / / / / / / /

SonarQube Frequently asked questions (FAQ) | SonarQube FAQs

sonarqube-faqs

 

SonarQube Frequently asked questions (FAQ)

Is SonarQube Replacement for Checkstyle, PMD, FindBugs?
————————————————————–

Answers – YES and NO

Why Yes?
Sonar will run CheckStyle, FindBugs and PMD, as well as a few other “plugins” such as Cobertura (code coverage) by default for Java projects. The main added value, however, is that it stores the history in a database. You can then see the trend. Are you improving the code base or are you doing the opposite? Only a tool with memory can tell you that.
Why No?
SonarQube is currently on the way to deprecate PMD, Checkstyle and Findbugs and use their own technology to analyze Java code (called SonarJava). They do it, because they don’t want to spend their time fixing, upgrading (or waiting on it) those libraries (e.g. for Java 8), which for example uses outdated libraries. Well at least since SonarQube 6.3+ it seems to be that Findbugs is (at the moment) no longer supported as a plugin.

 

What is the SonarQube Plugins available which can be integrated with Eclipse, IntelliJ IDEA, Visual Studio, Visual Studio Code, and Atom?
————————————————————–
Answer –
SonarLint is an extension to your favorite IDE that provides on-the-fly feedback to developers on new bugs and quality issues injected into their code.
Reference

 

Where i can get the Support related to SonarQube?
————————————————————–
Google Grops
Facebook Groups
Linkedin Groups
Public Forum

 

Top 10 Lessons Learned from 2 Years Work with Codehaus Sonar
————————————————————–

 

Configure Sonar to exclude files from Maven pom.xml
————————————————————–

 

Does Sonar support multiple language in same project ex. sonar.language=java,grvy?
————————————————————–
Starting with SonarQube 4.2, multi-language projects are supported.
This automatically happens when sonar.language is not set.

 

How to exclude the directory in SonarQube?
————————————————————–
try something like this:
sonar.exclusions=src/java/test/**

sonar.exclusions=system/**, test/**, application/third_party/**, application/logs/**

How to Increase SonarQube Heap Size?
————————————————————–
Whenever you get a issues like “SonarQube analysis failed java.lang.OutOfMemoryError: Java heap space”, you may following options to follow.
Option 1 – Reduce the analyze scope by either reducing the project size(split your project in smaller sub projects/modules) or reducing the set of rules that are analyzed.
Option 2 – Increase the memory size that can be consumed by the JVM.  This can be done by adding the following Environment Variable:
SONAR_RUNNER_OPTS=”-Xmx3062m -XX:MaxPermSize=512m -XX:ReservedCodeCacheSize=128m”
e.g Linux
> export SONAR_SCANNER_OPTS=”-Xmx3062m -XX:MaxPermSize=512m -XX:ReservedCodeCacheSize=128m”
e.g Windows
> set SONAR_SCANNER_OPTS=”-Xmx3062m -XX:MaxPermSize=512m -XX:ReservedCodeCacheSize=128m”

 

Reference
Tagged : / / / / /

What are the alternatives of SonarQube for Code Quality Management?

sonarqube-alternatives

 

Alternate of SonarQube for Code Quality Management tools?

There is not a popular known alternate of SonarQube and Reasonable is definitely dominating the Software Quality management domain in terms of open source category. But you may try following tools depends on the use and project requirements.

 

JSHint (Java Script Only)
JSHint is a community-driven tool that detects errors and potential problems in JavaScript code. Since JSHint is so flexible, you can easily adjust it in the environment you expect your code to execute. JSHint is open source and will always stay this way. It is a program that flags suspicious usage in programs written in JavaScript. The core project consists of a library itself as well as a CLI program distributed as a Node module. This tool used in software development for checking if JavaScript source code complies with coding rules
More Info can be found here – http://jshint.com/about/

 

HPE Fortify
HPE Fortify Software Security Center enables any organization of any size to automate any or all aspects of a successful SSA program. Part of the family of HPE Enterprise Security Products, HPE Fortify Software Security Center is comprised of industry-leading products, solutions, and features that address the complete spectrum of your application security needs.

 

HPE Fortify Software Security Center can help you:
– Address immediate security issues in software you’ve already deployed.
– Reduce systemic risk in software you’re developing or acquiring from vendors.
– Meet compliance goals for internal and external security mandates.
– HPE WebInspect Real-Time
– Interactive vulnerability review and management
– Advanced web services security testing
– HPE WebInspect Trend Reporting
– Refined and simple usability
– Actionable remediation and compliance reports

 

Coverity
Synopsys Static Analysis (Coverity®) is an accurate and comprehensive static analysis and Static Application Security Testing (SAST) platform that finds critical defects and security weaknesses in code as it’s written before they become vulnerabilities, crashes, or maintenance headaches. It is Static Code Analysis tool. Find critical defects and security weaknesses in code as it’s written before they become vulnerabilities, crashes, or maintenance headaches.

 

More Info can be found at
Tagged : / / / / / / /

What is SonarQube and What is not?

what-is-sonarqube

 

What is SonarQube?

It’s a code quality management platform that allows developer teams to manage, track and eventually improve the quality of the source code.  It’s a web based application that keeps historical data of a variety of metrics and gives trends of leading and lagging indicators for all seven deadly sins of developers.
Sonar is an open source platform used by development teams to manage source code quality. Sonar has been developed with a main objective in mind: make code quality management accessible to everyone with minimal effort.

As such, Sonar provides code analyzers, reporting tools, defects hunting modules and TimeMachine as core functionality. But it also embarks a plugin mechanism enabling the community to extend the functionality (more than 35 plugins available), making Sonar the one-stop-shop for source code quality by addressing not only developers but also managers needs.


Main Feature of SonarQube

Continuous Inspection
SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced. With a Quality Gate in place, you can fix the leak and therefore improve code quality mechanically.
Detect Tricky Issues
Our code analyzers are equipped powerful path sensitive dataflow engines to detect tricky issues such as null-pointers dereferences, logic errors, resource leaks
Centralize Quality
One place to provide a shared vision of code quality for developers, tech leads, managers and executives in charge of a few to a few thousands projects and also to act as a toll gate for application promotion or release.
DevOps Integration
SonarQube integrates with the entire DevOps toolchain including build systems, CI engines, promotion pipelines… using webhooks and its comprehensive RestAPI.
20+ Programming Languages
With SonarQube comes a code analyzer for each major programming language. Each analyzer provides numerous rules to spot general and language-specific quality issues.

 

What SonarQube is Not?

SonarQube is NOT a build tool. Period. There are several tools out there like Maven, Ant, Gradle etc. that do a perfect job on that field. SonarQube expects that before you analyze a project it has been already compiled and built by your favorite build tool.
SonarQube is NOT (only) a static code analyzer : It’s not a replacement for FindBugs or CPPCheck or any other similar tool. On the contrary, not only it offers its own static code analysis mechanism that detects coding rules violations but at the same time it’s integrated with external tools like the ones I mentioned. The result is that you can get, homogenized, in a single report all issues detected by a variety of static and dynamic analysis tools.
SonarQube is NOT a code coverage tool : Clearly NOT. Again it’s integrated with the most popular test coverage tools like JaCoCo, Cobertura, PHPUnit etc. but it doesn’t compute code coverage itself. It reads pre-generated unit test report files and displays them in an extremely convenient dasboard.
SonarQube is NOT a code formatter. It’s not allowed to modify your code in any way. However you can get formatting suggestions by enabling the CheckStyle, CPPCheck, ScalaStyle rules you want to follow.
SonarQube is NOT a continuous integration system to run your nightly builds : You can integrate it with the most popular CI Engines to apply Continuous Inspection but it’s not their replacement.

SonarQube is NOT just another manual code review tool. Indeed SonarQube offers a very powerful mechanism that facilitates code reviews but this is not a standalone features. It’s tight to the issues detection mechanism so every code review can be easily associated to the exact part of the problematic code and the developer that caused it.

Reference
https://www.sonarqube.org/
http://softwaregarden.io/sonarqube/

 

Tagged : / / / / / / /

What is SonarJava? Is it replacement for Checkstyle, PMD, FindBugs?

know-about-sonarjava

SonarJava has a great coverage of well-established quality standards. The SonarJava capability is available in Eclipse and IntelliJ for developers (SonarLint) as well as throughout the development chain for automated code review with on-premise SonarQube or on-line SonarCloud.

SonarJava is a code analyzer for Java projects. Information about the SonarJava features is available below;
Why SonarJava?
SonarQube is currently on the way to deprecate PMD, Checkstyle and Findbugs and use their own technology to analyze Java code (called SonarJava). They do it, because they don’t want to spend their time fixing, upgrading (or waiting on it) those libraries (e.g. for Java 8), which for example uses outdated libraries. Well at least since SonarQube 6.3+ it seems to be that Findbugs is (at the moment) no longer supported as a plugin.

Features
409+ rules (including 103+ bug detection, 273 Code Smells, 33 Vulerabilities)
Metrics (complexity, number of lines etc.)
Import of test coverage reports
Custom rules
SonarJava is being used in the following…
SonarQube
SonarCloud
SonarLint for Eclipse
SonarLint for Intellij IDEA
Supported versions, frameworks and special analyses…
Java language versions through 8
Frameworks Struts, Spring, Hibernate
Native integration with Maven, Gradle, and Ant
Metrics
Code Coverage by Tests: SonarJava supports the import of JaCoCo and Cobertura test coverage reports.
Custom Rules
SonarJava supports custom rules written in Java.
Reference
Tagged : / / / / / / /