...
SonarQube setup assistance (Type 1)
Extended source code review (Type 2)
Software Composition Analysis (Type 3)
Software Licence Analysis (Type 4)
These vary in the review, scope and granularity of the report, and usually compromise between automated analysis and manual review activities. The main differences between automated analysis and manual review are as follows:
- Automated code analysis concerns, among others, maintainability, security, and reliability as the core quality metrics as well as the analysis of software dependencies and their licences. SonarQube (SQ) tool scans the source code of the development project, identifying flaws and vulnerabilities in the source code based on internally computed software metrics and comparing the subject source code with known anti-patterns. The tool defines Quality Gates that can verify if the code meets specific requirements (such as requirements defined by Product Lifecycle Management (PLM)) and provide recommendations for the decision-makers. Mend tool performs software composition analysis identifying among other licences and vulnerabilities of external components used by a software project.
Automated code analysis is a great feature when new code needs to be constantly and quickly scanned for many common reliability and security issues. However, it is not able to detect complex or complicated situations or side effects that could happen during runtime. - Manual expert review has the same quality objectives as automated code analysis, but it is conducted by domain experts. These Subject Matter Experts (SMEs) conduct the review in an exploratory manner, or by using pre-defined checklists. Experts review and validate the results reported by the automated code analysis and independently check the parts of code or software components that require particular attention, e.g., classes or components that are complex and play important roles in the system.
The expert code review requires significantly more effort than automated analysis, so it is performed according to the priorities defined by the requestor. A manual review takes much longer than automated analysis but gives more precision with complex code and execution structures.
SonarQube Setup Assistance (Type 1)
The testing team helps the software development team to configure the SonarQube agent that collects and publishes relevant quality data. It allows the development teams to perform SonarQube analysis by themselves, and it is also used during the reviews the Testing Team performs to find critical sections or hotspots in the codebase.
...
This service is recommended for teams who want to continuously monitor the quality of their code.
Extended Source Code Review (Type 2)
The extended source code review is a comprehensive, manual assessment review made by selected Subject Matter Experts on specific assessment requirements. An extended review can be requested for critical services, software, or software components. Usually, it aims at addressing the requirements of the PLM process, but it could also be performed on a per-request basis.
...
Extended reviews are recommended for teams that require thorough, multi-directional insight into code quality and can be requested for complete services, software, or software components. Extended Source Code Review may happen at the end or during the development (preferably before a major release, when developed software is rather stable and the code will not change much).
Software Composition Analysis (Type 3)
The testing team helps software development teams by setting up a project in the Software Composition Analysis (SCA) tool (the currently used tool is Mend, previously known as WhiteSource) and getting an insight into third-party libraries imported into the software project. This tool identifies third-party components used in a project and provides information about their licences and security vulnerabilities.
...
This service may be requested in combination with other software review services or conducted in isolation. It is also a preparation for Software Licence Analysis. The software development team should be able to interpret the SCA reports.
Software Licence Analysis (Type 4)
This is a technical consulting service for the PLM or IPR software compliance check. It helps the client obtain a deeper insight into third-party libraries in the software project and their licences to select or adhere to the project's software licence. Depending on the outcome, the development team can refine its IPR policy, select the appropriate software licence or adjust the project's software dependencies.
...
| Tool setup | Summary report | Detailed report | |
|---|---|---|---|
SonarQube Setup Assistance (Type 1) | SonarQube | ||
| Extended source code review (Type 2) | SonarQube Custom | x | x (or issues submitted to the bug tracking system) |
Software Composition Analysis (Type 3) | Mend | x | |
Software Licence Analysis (Type 4) | Mend | x |
Learn more
Webinars:
- Software Tests and Analysis, Licence Analysis with WhiteSource, 2022
- Software Reviews, Taking control of the code quality - Improving reviews using SonarQube, 2019
...