SonarQube versus ESLint for Static Code Analysis
Introduction
Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review and should ideally be implemented as part of the CI portion of a product development lifecycle. Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis. Ideally, such tools would automatically identify code quality issues, security vulnerabilities with a reasonable degree of confidence. Such tools should actually serve as aids for a software developer to help zero in on quality and vulnerability aspects of the code so they can find them more efficiently, rather than a tool that simply finds them automatically.
Per Open Web Application Security Project (OWASP)
SonarQube is a static code analysis platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
ESLint is an open-source static code analysis tool for identifying problematic patterns found in JavaScript code. Rules in ESLint are configurable, and customized rules can be defined and loaded. ESLint covers both code quality and coding style issues.
This comparison exercise was completed by KansoCloud on behalf of a customer looking for an easy to maintain yet comprehensive Static Code analysis platform to cover their PHP/Laravel and NodeJS based web applications.
Comparison Matrix
SonarQube | ESLint | |
---|---|---|
Developer | SonarSource (2006) | Nicholas C. Zakas (2013) |
Latest Version | 9.3 LTS | 8.11.0 |
Software Licensing | GNU Lesser General Public License | MIT License |
Features |
|
|
Disadvantages |
|
|
Requirements |
|
|
Conclusion
The primary objective for the customer was to assist their developers in detecting bugs, code smells, vulnerabilities, security hotspots during early stage development. Since it is an application supporting financial services, there was also the additional requirement to ensure security and compliance. Another important requirement was the ability to view clear and intuitive dashboards for internal consumption as well as supporting external audit purposes.
Even though operational cost was a consideration, ease of operation was given a higher priority based on the customer’s staffing profile.
SonarQube offered a more comprehensive coverage of all the areas the customer was interested in along with support for multiple languages and easy to use dashboards . While ESLint requires infrastructure to be provisioned with specific software installed on it along with the user searching for appropriate plugins to utilize, SonarQube makes it very convenient with its comprehensive SaaS offering, SonarCloud. Given the specific use cases and usage requirements, the recommendation was to proceed with SonarCloud.