felipebz
commented
1 year ago Hi! I consider it an alternative. Both the SonarSource's plugin and ZPA have a similar set of features. Here are some differences:
-
The SonarQube PL/SQL commercial plugin can connect to the database and use the data dictionary for some rules, while ZPA does not have this feature.
-
ZPA allows users to create their own rules for analyzing PL/SQL code with XPath rules or custom plugins. The SonarSource's plugin supports only XPath rules.
-
ZPA has fewer coding rules than the SonarSource's plugin.
-
ZPA has a better support for PL/SQL code and DML statements than the SonarSource's plugin.
When I analyze PL/SQL code, I expect that the code is identified and analyzed correctly at least. Take this code as an example:
select 1
from tab, tab2
where tab.id = tab.id;
select 1
from tab, tab2
where tab.id = tab.id
and (tab.col1, tab.col2) in (select col1, col2
from tab3);These two queries have the same issue: a value being compared to itself on where tab.id = tab.id. However, the SonarSource's plugin doesn't report the issue on the second query because it doesn't recognize the (col1, col2) in (…) syntax and it considers the whole query as invalid code. Here is an example from an analysis on SonarCloud:
In my opinion, the fact that it fails to parse this simple code is a serious flaw that compromises the quality and reliability of the code analysis and may lead to false negatives and missed vulnerabilities.
Using ZPA, both issues are reported correctly:
On the other hand, SonarSource is a unicorn startup with many developers and commercial support, I'm sure they can fix this whenever they want, and I'm just a PL/SQL developer myself maintaining a plugin on my free time. 😄
chkpnt
Not in the community edition, but in the developer edition and above, SonarQube has (some) PL/SQL support. Would you mind to elaborate a little bit how this plugin differs from SonarSource's implementation? Do you consider zpa as an alternative or as an supplement?