In the past, I mentioned that the open source SonarQube by SonarSource was on my “research list” in a few blog posts* as I am a fan of static code analysis **, and now it is time to amend them with the current state for using it in Delphi.
SonarSource products
- SonarQube Server (formerly SonarQube) is an open core product for static code analysis, with additional features offered in commercial editions.
- SonarQube Cloud (formerly SonarCloud) offers free analysis of open source projects.
- SonarQube for IDE (formerly SonarLint) is a free IDE extension for static analysis.
For more history on them, see [Wayback/Archive] About – Sonar and SonarSource | Sonar.
Delphi integration
There are two open source integrations: for ConarQube Server, and Linting, both maintained by the same company ([Wayback/Archive] IntegraDev · GitHub):
- [Wayback/Archive] GitHub – integrated-application-development/sonar-delphi: Delphi language plugin for SonarQube (requires SonarQube Server, Delphi and [Wayback/Archive] SonarScanner CLI | SonarQube Server Documentation)
- [Wayback/Archive] GitHub – integrated-application-development/delphilint: Delphi IDE package providing on-the-fly code analysis and linting, powered by SonarDelphi (can also be integrated into Visual Studio Code)
SonarQube can also run your unit tests, which you should not do without any code coverage measurements. For those, use [Wayback/Archive] GitHub – DelphiCodeCoverage/DelphiCodeCoverage.
In the past, Embarcadero took over maintenance and put it in [WaybackSave/Archive] GitHub – Embarcadero/SonarDelphi: Embarcadero’s official version of the Sonar-Delphi plugin for use to analyze Delphi projects with SonarQube. Working to collect updates and contributions from other versions into this one and move if forward with new features., but like any 3rd party product they took over, they were marketed as big things but maintenance was at an absolute minimum (their owner Idera is basically a product marketing company strong-arming their ownees similar to the relation between puppeteers and marionettes).
Their commits can be counted at ………: some 15 commits, only in the README documentation parts.
Besides DelphiAST, this might be the only readonably up-to-date Delphi grammar available. In this case it is ANTLR based and hosted in [Wayback/Archive] sonar-delphi/delphi-frontend/src/main/antlr3/au/com/integradev/delphi/antlr/Delphi.g at master · integrated-application-development/sonar-delphi · GitHub (the DelphiAST grammar is in [Wayback/Archive] DelphiAST/Source/DelphiAST.pas at master · RomanYankovsky/DelphiAST · GitHub as past of the open source repository [Wayback/Archive] GitHub – RomanYankovsky/DelphiAST: Abstract syntax tree builder for Delphi)
Oh: SonarDelphi is mainly written in Java, so if you have maintenance or pull-request aspirations you know what to learn.
The SonarDelphi repositories have been at these places (from recent to past, tried to follow fork marks but not all have them):
- [WaybackSave/Archive] GitHub – Embarcadero/SonarDelphi: Embarcadero’s official version of the Sonar-Delphi plugin for use to analyze Delphi projects with SonarQube. Working to collect updates and contributions from other versions into this one and move if forward with new features.
Has no fork markings
Maintained until 20240322, when Embarcadero gave up.
- [Wayback/Archive] GitHub – Laurensvanrun/SonarDelphi: This repository contains the source code to the Sonar-Delphi plugin. Can be used to analyse Delphi projects with SonarQube.
- [WaybackSave/Archive] GitHub – JAM-Software/SonarDelphi: This repository contains the source code to the Sonar-Delphi plugin. Can be used to analyse Delphi projects with SonarQube.
Maintained until 20221202 when Embarcadero forked it.
- [WaybackSave/Archive] GitHub – mendrix/SonarDelphi: This repository contains the source code to the Sonar-Delphi plugin. Can be used to analyse Delphi projects with SonarQube.
- [Wayback/Archive] GitHub – FactorySolution/SonarDelphi: This repository contains the source code to the Sonar-Delphi plugin. Can be used to analyse Delphi projects with SonarQube.
- [Wayback/Archive] GitHub – ekot1/SonarDelphi: This repository contains the source code to the Sonar-Delphi plugin. Can be used to analyse Delphi projects with SonarQube.
Still maintains dependencies, but no features.
- [Wayback/Archive] GitHub – SandroLuck/SonarDelphi: This repository contains the source code to the Sonar-Delphi plugin. Can be used to analyse Delphi projects with SonarQube.
Not an official form marking, but the readme points to the repository right below.
- [Wayback/Archive] GitHub – fabriciocolombo/sonar-delphi: SonarQube Delphi Plugin
* Prior SonarQube blog posts
From my draft posts around SonarQube
- Microsoft was way earlier with understanding how important SonarQube is; in april 2015 they posted [Wayback/Archive] Technical Debt Management: Announcing SonarQube integration with MSBuild and Team Build – Microsoft Application Lifecycle Management – Site Home – MSDN Blogs which since then moved to [Wayback/Archive] Technical Debt Management: Announcing SonarQube integration with MSBuild and Team Build – Azure DevOps Blog
- Is0topp in 2021 wrote [Wayback/Archive] Kristian Köhntopp auf Twitter: “Modern development uses languages as part of a platform, which would contain components such as JFrog X-Ray or SonarQube that would scan code and packages. These would not only detect such injections easily, but would flag also many more things.”
[Wayback/Archive] Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies | by Alex Birsan | Medium
The code was meant for internal PayPal use, and, in its package.json file, appeared to contain a mix of public and private dependencies — public packages from npm, as well as non-public package names, most likely hosted internally by PayPal. These names did not exist on the public npm registry at the time.
…
With the logic dictating which package would be sourced from where being unclear here, a few questions arose:
- What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?
- Will developers, or even automated systems, start running the code inside the libraries?
- If this works, can we get a bug bounty out of it?
- Would this attack work against other companies too?
Yup: it works for other companies too.
** my blog posts on Delphi static code analysis
- 2018 Use DelphiAST – via TPersistent.com » Blog Archive » The Parsing Problem
- 2018 Delphi XE8 things I learned from the first week of G+ reading
- 2018 Delphi 10.3 Rio got released; I’ll wait a while hoping to see more positive comments
- 2020 Are there any static code analysis tools for Delphi/Pascal? – Stack Overflow
- 2020 Delphi Exception handling code review reminders
- a
- 2027 Link archive: cyclomatic complexity – a fresh look at code complexity|Blog (scheduled)
--jeroen