Output SonarQube reports

[cynthiabaran]

Describe the solution you'd like
Insider could generate a SonarQube-compatible report, which should have this format. To achieve this, we will need to assign an unique ID for each rule.

Describe alternatives you've considered
Let every rule id have the prefix "insider", and the suffix composed of an abbreviation of the language and an integer, for example, INSIDER-JS1.

Additional context
Other SAST tools, such as GoSec, already have this feature. The id of GoSec rules follows the pattern G101

[htrgouvea]

Hi @cynthiabaran,

First of all, I would like to thank you for opening this issue!
This kind of functionality is very interesting, I believe that we can work on that...
But, if you find it interesting, feel free to open a PR with this implementation, it will be very welcome!

Thx!

[cynthiabaran]

I actually did it 3 days ago, but one day later you guys released v2 😅
Sooo I'll have to rewrite some stuff, but probably I'll be able to contribute. This feature is important for us.

You okay with my suggestion for the naming convention of the rules' ids?

[danilodeveloper]

Hey @cynthiabaran
I liked your naming convention sugestion.

What do you think guys @hermescanutodesouza @bieeldeveloper @GouveaHeitor

[cynthiabaran]

Another issue worth discussing is the name of the SonarQube report.

I just noticed that in v2 you've added a timestamp to the name of the report file. That's kind of an issue when adding this tool to automatic CI pipelines, since it requires extra work for the pipeline script to figure out the name of the report to send to SonarQube.

Off the top of my head, I think we could output a fixed filename such as report-sonarqube.json, dropping the timestamp for the SonarQube report. That is easy to implement, and we don't really need an unique timestamp for SonarQube reports since it keeps track of all analysis for us.

Any thoughts?

[mattheusv]

Hi @cynthiabaran , really sorry for delay. About the timestamps on report, the insider have a -force flag that generate reports without timestamp and will override existent report files.

About the sonarqube report, I think that we should create a new flag -format for example, and specify a type of output report, something like this:
$ insider -tech javascript -target <dir> -format sonarqube
This will generate a report in sonarqube format, if this flag is not informed, we generate the "default" report that we generate today. What do you think? And again, sorry for delay.