Many development organizations we work with have turned to SonarQube as a dashboard to visualize and measure their code quality.
Customers using CLM want to surface known security vulnerabilities and license risk in the same place developers or executives already assess the quality of their application. To support this growing interest from our customers, we are introducing our next important milestone: Sonatype CLM's integration with SonarQube.
Figure 1. SonarQube widget example highlights open source policy violations that require attention. Drill down reports with detailed analysis are accessible directly from this widget.
This integration will allow you to access summary-level Sonatype CLM information for your applications, as well as link to Sonatype CLM Application Composition Reports directly from your SonarQube projects.
Figure 2. Sonatype CLM Application Composition Reports offer detailed analysis of license and security issues down to the individual components and risks.
Better component usage doesn't just lead to risk reduction, it also better applications. This is something that ties closely with code analysis, and tools such as SonarQube.
If you already use SonarQube, you know firsthand the impact that principles such as the 7 Axes of Code Quality can have on the applications and projects your teams create. Paralleling this, as a user of Sonatype CLM, you also know that using good components is a critical and essential part of developing quality applications. Sonatype CLM for SonarQube brings both of these together.
-
The software: For Sonatype CLM users who need access to the 1.11 release, it can be found on our KnowledgeBase.
-
The integration: For Sonatype CLM users looking for more information on the SonarQube integration, you can quickly get up-and-running with our online guides.
-
Learn more: What to learn more about SonarQube? Here is an informative article I found from Nadeem Mohammad.
Finally, if you are looking for information on how Sonatype CLM integrates into your complete development environment, here are some links that you might find helpful:
-
Sonatype CLM integrates with continuous integration servers (e.g., Hudson/Jenkins),
-
Sonatype CLM integrates with IDEs (e.g., Eclipse)
-
Sonatype CLM integrates with repository management (e.g., Nexus)
-
Sonatype CLM integrates with build managers (e.g., Maven)
.jpg?width=150&height=150&name=fox-2016-1-sq%20(1).jpg)
Brian Fox, CTO and co-founder of Sonatype, is a Governing Board Member for the Open Source Security Foundation (OpenSSF), a Governing Board Member for the Fintech Open Source Foundation (FINOS), a member of the Monetary Authority of Singapore Cyber and Technology Resilience Experts (CTREX) Panel, a member of the Apache Software Foundation and former Chair of the Apache Maven project. Working with OpenSSF, Brian helped create The Open Source Consumption Manifesto, urging organizations to elevate awareness of open source usage. He also chaired efforts to provide official responses to requests for information from the The Office of the National Cybersecurity Directorate (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA). Within the Atlantic Council's Open Source Policy Network, Brian actively helps shape cybersecurity strategy, offering valuable insights on critical documents, such as ONCD's recent National Cyber Security Strategy. Brian has over 20 years of experience driving the vision behind, as well as developing and leading the development of software for organizations ranging from startups to large enterprises. Brian is a frequent speaker at national and regional events including Java User Groups and other security and development-related conferences.
Explore All Posts by Brian FoxTags
Try Nexus Repository Free Today
Sonatype Nexus Repository is the world’s most trusted artifact repository manager. Experience the difference and download Community Edition for free.