You're 5 Minutes Away from Code Quality & Code Security

Hi, I'm Ann Campbell with SonarSource. I don't have any slides for you today. I'm going to try something that's a little bit risky given the time constraints, but this should work out okay. So what you're seeing right now is the front page of Sonar Cloud, which is a SAS product, a SAS-SAS product, to add code quality and code security to your repository. And I want to show you today how easy that is.

So I'm going to start by logging in. Now I already have an account, so you're going to see that reflected in my experience. But as a new user, all you would have to do is choose your ALM to sign in with, and it creates your account for you. So I'm going to start with GitHub, because I have an account there. And it logs me in and shows me the projects that I have access to. But that's not what I want to show you today. What I want to show you today is how easy it is to set up your projects with code quality and code security.

So I'm going to go to the PLUS to analyze a new project. Now it asks me if I want to analyze a project from one of the existing organizations that I already have access to. But again, that's not what I want to show you today. I'm going to show you creating an organization from my ALM. So I'm going to choose GitHub. And when I get here, it says which organization do you want on GitHub? I'm going to choose my private one. And now GitHub is asking me to grant permissions. Now, I don't want to give Sonar Cloud, I'm just trying this out, right? So I don't want to give Sonar Cloud permission to all my repositories. I'm going to select the repositories that I've chosen, I've forked recently for this demonstration. So I type in my repositories and there are a couple that I want to show you. And once I've got them selected, I can save that. That brings me back to Sonar Cloud, where I've got a couple more steps to get through. So I have to name, set a key for my organization. I'm going to go with the default. I do want the free plan, Sonar Cloud is free for open source projects. So I'm going to create my organization like that. Now Sonar Cloud is asking me, of the repositories it has access to, which ones I want to analyze? I want to analyze both of them. Now I click Setup.

And what's happening now is Sonar Cloud is checking out my code. And it's taking a look at it to see if it can automatically analyze it for me. So I don't have to do any CI CD setup here. It's just going to handle it for me.

So it looks at my code, it says, yes, I can run an automatic analysis on this. And it's analyzing the latest version of master. And from this point forward, for every commit on my main branch, and for every new PR, it's going to run that analysis for me, reflects the results in my PR in GitHub, with a check on my PR.

So now my little application has already finished analyzing. Let's jump in and see what I've got. So here's my overview. Zero bugs, I've got some vulnerabilities. I've got some other issues, but what I really want to show you here is the issues. So here I've got my list of issues. It's not terribly useful though to just see a list of issues without contact. So I'm going to dive in here. Let's look at the blocker issues, and look at the rules. And I've got database queries should not be vulnerable to injection attacks. So let's see which ones those are. And I'm going to click on this to see the issue in the context of the code.

Now, this application was crafted to demonstrate vulnerabilities. And so what we're seeing here is really compact vulnerability flow. But the reality is that in normal projects, the vulnerability flow is going to span not just functions, but probably pages as well, different files in the project. We've crafted the UI, even though you're not quite seeing that here, to make that flow across functions and files easy to understand. So that's what I wanted to show you in this project.

Now, I'm going to return to my list of projects. And my other one is done analyzing by now. So I want to jump into that one. And again, I've got my overview here at the top. And I want to show you something on the Issues page. And that is here under the list of languages.

So now we're here to talk about JavaScript today. And that's primarily what I'm looking at. But I do want to point out to you that I've got issues raised on both the JavaScript and the HTML code in my project. It's a reality today that most projects are not monolingual. Most projects have multiple languages in them. And so for the cost of that one setup, I'm getting not just the analysis of my JavaScript, but of the other languages in my project as well. So that's pretty cool.

Now, again, to narrow it down to blockers, just to look at the most interesting things, if I look at the rules that are being broken, here's a dynamic code execution for injection attacks. Let's see what that one's about. All right. So here I've got a little bit larger issue flow. Now, maybe I'm not savvy about security. Maybe I don't understand why this is a problem. If that's the case, I've got the rule description here ready at hand so that I can understand not just why I should be following the rule, not just what bad thing can happen if I don't follow the rule, but I've also typically got some code samples so that I can see broken code, bad code, and then I can see that same code fixed so I can apply that pattern to my own code to make the fixes in my code.

So I'm almost out of time, but fortunately, I'm out of everything I wanted to say. Thank you very much for your time and attention, and I'll talk to you later. Thank you.