Sonar now checks the AI-generated code for faults

Sonar, which sells tools that check software code for bugs, inconsistencies and security vulnerabilities, today announced two new products designed for AI-powered software development.

AI Code Assurance for SonarQube and SonarCloud enterprise managed services validates code created by generative AI co-pilots to ensure it meets business quality and security standards. A companion product called AI CodeFix recommends solutions to identified problems.

Sonar, which is the name of the company SonarSource SA, claims that it is addressed to the rapidly growing market of AI code assistants, of which, according to Gartner Inc. by 2028, three-quarters of enterprise software engineers will use it. The 16-year-old company claims it has 7 million developers using its platform.

The programmer’s companion

New AI-focused products “are not co-pilot in the AI ​​sense, but we accompany the development process and help with code review by providing a guided tour or discussing issues,” said CEO Tariq Shaukat. “We can identify the type of problem, the severity of the problem, what kind of problem it is, and we expose it in the integrated development environment or at the code review stage.”

Sonar’s deterministic approach is based on a set of over 5,000 rules in 30 popular programming languages. “We create mathematical representations of the code that take into account things like how data flows and existing loops,” Shaukat said. “It’s called static analysis, and we’ve been doing it for the last 15 years.”

Shaukat said common problems in AI-generated code are different from those found in human-made software. “Artificial intelligence doesn’t make simple mistakes like spelling and grammatical errors,” he said. “AI code typically involves complex problems that require understanding context. It contains more complex bugs and security issues, and you may also have hallucinations such as calling libraries that don’t exist or variables that aren’t defined.

AI Code Assurance allows developers to flag projects containing AI-generated code to initiate automated analysis. An optimized quality gate for AI-generated code ensures that only code that meets rigorous quality and security standards is approved for production.

Shaukat said these standards can be configured to meet the requirements of different organizations. Projects that pass the quality gate receive a badge indicating that the code is acceptable.

Generational AI improvements

AI Code Fix automatically generates suggestions to improve code quality using OpenAI’s large language model, with support for additional models planned. Developers can troubleshoot issues using SonarLint, an open-source code quality checker and static analysis tool. The service initially supports Java, JS/TS, C#, Python, and C/C++, with additional languages ​​likely to be supported in the future.

Shaukat said the enterprise clients he spoke to are slowly moving towards AI-powered coding on a massive scale. Many developers distrust co-pilots or fear they may render professional development tasks irrelevant, and tend to test AI-generated code less rigorously.

“Everyone I talk to is doing some experiment with AI code generators,” he said. “It’s still relatively early in the round. We see that about 30% of the co-pilot’s suggestions are adopted. Thanks to CodeFix, we see that over 50% of suggested fixes are accepted.”

The new services are being made available for free to users of the latest versions of SonarQube and SonarCloud, although they may come with a fee in the future, Shaukat said.

Photo: SiliconANGLE/DALL-E