Secrets of the Source

Video size:

0:09 Miko Pawlikowski

Hello and welcome to another episode of Conf42Cast. My name is Miko Pawlikowski. And today I've got with me Martin Bednorz, Product Manager at Sonar Source. Martin, how are you today?

0:21 Martin Bednorz

Very good. Hello, Miko, happy to be here. Looking forward to talking to you.

0:26 Miko Pawlikowski

First things first, the important question, what is your favorite planet, Martin?

0:32 Martin Bednorz

I think I would say that planet Earth is probably my favorite one. I mean, looking at from far away on our planet, I think that's pretty amazing. Right? And we should probably take better care of it than we have done for the past years, I would imagine.

0:51 Miko Pawlikowski

Definitely tried and tested, Earth. That's a very good answer. Sounds like it's not coincidence that you work at Sonar Source, caring about the quality of what you already have. So I'm curious, how did you end up working there? What brought you, what attracted you to that particular company?

1:10 Martin Bednorz

Yeah, that's kind of a long story. So in 2016, with a few friends, we founded a company called RIPS. We were super focused on static analysis for security bugs, right? We were hunting security bugs all day. First in PHP, then later, we branched out into Java, to JavaScript, TypeScript and languages like this. And in 2020, Sona acquired the company, and that's how I got to be part of Sonar Source. I think that at Sonar, it's really a great company to work for. Company culture is a really big focus here with autonomous teams. So it's a team-based organization, and everybody here can really have an impact. And for me, this is a really important aspect of being here, really having the possibility to have an impact. And aside from that, I mean, the products are great. SonarQube is quite wide known in the community, so it's a good place to work.

2:20 Miko Pawlikowski

Okay, great. So, you mentioned you're a PhD. So what was your thesis? Was it also on static analysis?

2:27 Martin Bednorz

Oh, I don't have a PhD. I did my master thesis on incremental static code analysis. So it's a bit related for sure.

2:37 Miko Pawlikowski

So it's been a long time, since you're liked looking at someone else's code and telling them, 'Oh, this is bad, basically'.

2:45 Martin Bednorz

Yeah. Yes. And it's happened on my court. A lot of times as well.

2:52 Miko Pawlikowski

Exactly. Okay. So SonarQube, probably one of the more popular developer tools. I think, from my past experience speaking to people, they definitely know, SonarQube. But they usually know it as that annoying thing that is in their CI that tells them that the coverage of their new code is below par. And they would probably prefer to switch it off at that stage. Can you tell us more in detail? What is it that you actually do? And what's unique about your approach versus everybody else's?

3:28 Martin Bednorz

Yes. So what's unique about what we do is really we enable developers to clean code, right? So for us source code is the core asset of many companies and of software in general as well. And when it's not clean, I mean, you'll compromise your reputation with security vulnerabilities, business disruption with Box engineers are not happy to work on that code. Maintenance cost is increased, because changing things is very difficult and error-prone. So we really try to ensure that it is an asset and stays an asset, really. How we do this is we don't want to look at source code only from one angle, on one property like security. There are many more things that make code good or clean, let's say like reliability, maintainability, and things like this as well. And how do we ensure that developers can keep the code clean, it's really a unique workflow that we put on top of that. So basically, the workflow is that as a developer, you should focus on your new code. And over time, automatically, your overall code will improve as well with this. So when you as a developer are working on a new feature or working on changes, you are not only adding new lines of code to your software, but also changing lines or removing lines of code as well. So you're always touching a bit of the old code as well. And so if you focus your efforts on the new code over time, it will automatically improve your overall code as well. We've seen this a bit with data as well, like after one year, you've touched around 20% of your overall code with this, after two years, 35%, after five years, something like 50%. So this is really something to easy workflow, super lightweight, nothing changes for you as a developer. And ultimately, you will improve your quality.

5:22 Miko Pawlikowski

The mythical quality of the code. That actually makes me wonder, so do you actually sell this to the developers or like to the managers? Do you go and say, 'Hey, your life is gonna be easier if you use this while you write code'? Or do you say, 'Oh, people who work for you, they're gonna produce better work if you install this'? Like, which one is it typically, who goes for that kind of tool?

5:45 Martin Bednorz

I would say that we have a strong focus on developers. I mean, we come ourselves from the open source world, and many of our products and analyzers, even our open source, right. So, SonarQube is open source, the Community Edition, many parts of SonarLint are open source, some analyzers, as well. And so I would say that we really set to the developer. Entry point into our ecosystem is for free, right. So you can use all of our tools as a starting point for free. And then if you want to introduce this into your company, or into your team, you need to pay, basically.

6:19 Miko Pawlikowski

So for someone who may be, you know, comes from, let's say, Python background, and they are used to just running, you know, pi test, and they've got their favorite setup with linters. How is SonarLint different? Does it integrate with the other tools? So does it come with, you know, your own engine for doing things?

6:40 Martin Bednorz

All things are true. So, of course, we bring our own analysis to that as well. So you will get all the rules, the analysis that we do for sure. And on top of that, it can integrate into SonarQube, or SonarCloud, right. So can integrate this into, for example, your GitHub pull request, so to make sure that all of them are on the quality that you really require for yourself or for your company and your team.

7:12 Miko Pawlikowski

Another feature that I was actually very much interested in when I was prepping for this is the quality gates. It sounds like a very, you know, kind of thing that everybody should be doing. But I found that in practice, it tends to be difficult to decide on the actual quality gate thing, like what is good enough to push through automatically. I was wondering if you could talk about that a little bit. How people set this boundaries, and how much success can things like quality gates bring.

7:43 Martin Bednorz

At the cloud, the quality gate is a really simple concept. You basically define your coding standard that you want to have for yourself, for your team, or for your organization. And then you set it up to so that anytime it fails, you do not merge your pull request or you do not deployed to production. Here, at Sonar, we have a default quota gate, that is used by most of our customers. And it basically says that you shouldn't have any box, any security vulnerabilities or no security hotspots on your new code. And I think this is a great default to start everyone out. And then you can adjust this at your company. So let's say you have a really old project that is only used internally or something like this, you could adjust your quality gate to not be as strict. Or you have your core application within your company that brings home all the big bucks, you could adjust it to be more strict, right? So it's a really great way to decide on the coding standards that you really want to have within your company.

8:44 Miko Pawlikowski

And that naturally flows back to our mythical clean code and the quality of it, right? Because you have to describe the right amount of testing versus being into things like you know, 100% test coverage, which by the way, I'm gonna ask you what you think about that. Whether you're vim or emacs kind of person. But in general, you know, so far, I've been saying 'quality code'. But if you were to like focus on the few major tenets of what actually makes code clean and good quality in practice, what's your personal take?

9:20 Martin Bednorz

I think there are a few things that are clear already like, it has to be secure. It has to be maintainable. And that can imply many things, right? For example, for me personally, a certain amount of test coverage is part of that as well, right? Maybe not 100%. A certain amount for sure has to be reliable, the less bucks it has, the better. And I don't think that it stops here. And I think the properties, or the qualities that define this are going to evolve over time. Like we are seeing sustainability being a more and more important topic for developers and source code as well, so I'm sure that this is something that will be part of that in the future, and probably many other properties as well, that makes sense here.

10:10 Miko Pawlikowski

I think probably one of those properties is the thing that you mentioned already, the vulnerability scanning. I mentioned that at a high level. But I'm wondering, in practice, you know, every modern application, depending on what language and framework they're written in, is going to pull a lot of other people's code, right? That's kind of the whole premise of standing on the shoulders of giants, and all of that. We now do things like software bill of materials to SBOMs. And we do things like vulnerability scanning in non-libraries. But where do you think this is evolving? And how far do you think we can go, what are the limitations of that kind of approach?

10:51 Martin Bednorz

First of all, I think it's great that we are also nowadays, taking a deeper look into this as well like, including the libraries that we depend up on, that we built up on into the security scope, let's say. So, I think that is great. Of course, the further down you go, at some point, it has to stop, right? You can't take care of everything. So on certain things, you really have to trust that they work well, I would say.

11:19 Miko Pawlikowski

Yeah, at some level, you do have to trust somebody. And I wonder also, what's your take on how open source affected that. Because on one hand, you've got this code that technically, we can all go and read. And if there is a malicious implementation detail, we could catch it, we could write tools to auto-analyze it and do things like that. But at the same time, history shows that it also means that people can go and get code that looks completely foreign, turned out to be nefarious merged into some respectable projects. Do you think that the open source made it easier or more difficult to manage this kind of threat?

12:01 Martin Bednorz

I think it makes it easier, because it is available to everyone, right? You could go today on SonarCloud, and import or analyze your favorite open source project and look for vulnerabilities. So it's super easy for everyone to check the open source projects, right? With proprietary software, this is not really something that you can do. And also, I think we've seen a lot of popularity for source composition analysis as well. So if there are known vulnerabilities and open source libraries, you can easily be notified about this within your projects. A lot of companies are offering that right, like you get something for free on GitHub, even I think, nowadays. So I think it's much more, we are in a much better state with open source than just using proprietary technology.

12:50 Miko Pawlikowski

Open source for the win.

12:53 Martin Bednorz

For sure.

12:54 Miko Pawlikowski

I was gonna ask you a few questions on kind of bigger trends and aggregates. You're sitting, you know, in a kind of unique position where you can see and I'm sure you have fun dashboards to look at that some you may or may not be able to talk about. But if you look at the kind of higher level trends for the different languages and frameworks, and in general, what's going on that you pick up from where you sit at Sonar Source? Can you share some interesting stats and interesting trends with us?

13:26 Martin Bednorz

I can share a few trends. We are not publishing any data about this, currently, so no specific data. But I think one trend that we are also seeing here at Sonar, is that JavaScript and TypeScript are really pushing forward strongly, right. Especially TypeScript is something that we see a lot of demand for. One thing that surprised me personally, is that we have a lot of demand from our community for Dart and Flutter. So for the mobile space, which is super interesting, because I personally didn't have those technologies on on my radar. And yeah, so that was really interesting to discover.

14:06 Miko Pawlikowski

I can't say I'm surprised. JavaScript just seems to be always able to reach the next level of popularity, and especially with TypeScript, which is a less bad JavaScript. I am surprised about Flutter a little bit. I didn't exactly see it like take off, but it's good to know. Are there any languages or frameworks that are least, or less prone to mistakes than others that we noticed? Don't say JavaScript, I know you'd be lying.

14:41 Martin Bednorz

JavaScript was probably one of the languages that is certain aspects of it are probably more difficult to handle. Ao I think that we are seeing new languages pop up that are let's eliminate hold back classes in in itself like something like Rust, where with the memory model, the security model that they have built into the language, certain type of box that we know from C, C++, and so on, are just not there anymore. So I think this is something that can really help. It doesn't solve all security problems or other mistakes that you can make. But certain classes of bugs are eliminated with that. And I think a lot of this also depends on the availability of frameworks within the language. If you have a lot of mature frameworks there, like maybe Spring, or Symphony or Laravel, on PHP site. Those are less prone to mistakes, they have a good default, you are not writing SQL queries manually anymore, right. So that I think really helps in eliminating a lot of the vulnerabilities that we've seen before that. And I mean, that's maybe a personal preference. I'm not sure. But I think type languages can help as well. Especially if looking at reliability of your software. I think type languages can help there. They are not the solution, but I think they can help. And the best example for me is always TypeScript that makes JavaScript

16:09 Miko Pawlikowski

Even better. Yeah, that makes sense. That's hard to argue with. If there's fewer opportunities to make mistakes, people probably make fewer of them. That makes a lot of sense. So for everybody who's been listening to us for last 20 minutes and thinking, 'Hey, this SonarQube, this Sonar thing doesn't sound too bad. I'm not currently using, maybe I should start using it'. Where do they go? What did they do?

16:37 Martin Bednorz

So they can go to sonarsource.com. That's our website, they can check out the products that we have. All of them are free to start. So you can just grab the SonarQube Community Edition to install locally on your laptop. The easiest thing to try is SonarLint, of course. It integrates into all the major major editors and IDs. And if you are working with open source, you can just hook SonarCloud to your GitHub repository, for example, and stuff like that.

17:08 Miko Pawlikowski

And the tools that you download, they don't send the code to the cloud, right? Is the cloud offering that sends it out to the upstream server, the other ones work locally.

17:20 Martin Bednorz

Exactly. So if you install SonarQube, all your code stays locally, of course. Same with SonarLint. We are not sending the code outside to any. Once on a cloud site we really DevOps platform of choice, right. So if you're a GitHub user, we connect to your GitHub repository and analyze your code, of course, in the cloud, yeah.

17:41 Miko Pawlikowski

All right, fantastic. So everybody interested, now you know what to do. You don't have an excuse anymore to not give it a try. But for you, Marty, before I do let you off the hook, I've got one more question, your personal, you know, a golden nugget of information to extract from you. Your personal recommendation of if you were to invest time, you know, as a developer in 2023, in one single language, or technology or technique, or anything else, really, to help your career, but you could only pick a single thing, what would be your personal recommendation?

18:18 Martin Bednorz

So, I'm probably going to be biased towards static analysis. No, no. So I think what I personally loved discovering is all the Cloud Native development that is happening with AWS CDK and similar technologies, not having to set up a server anymore, for me was a big relief. So I think investing time into those technologies is super interesting. And I think the future holds a lot of great things for that.

18:48 Miko Pawlikowski

And for anybody who wants to follow your adventures, whether it's Twitter or LinkedIn, or something, what's the best way?

18:54 Martin Bednorz

To be honest, I'm not too active on Twitter. So it's best to follow the SonarSource account to find out more about what we do here.

19:04 Miko Pawlikowski

All right. Fantastic. Thank you so much for your time. Martin Bednorz, Product Manager at Sonar Source was my guest today.

19:13 Martin Bednorz

Thank you for having me, Miko.

19:14 Miko Pawlikowski

And see you next time.

19:15 Martin Bednorz

See you soon.