What is QA

Modern work patterns like continuous integration (CI) have an implicit need for testing automation. In current CI solutions, white-box testing is left to the work methodology, typically addressed after code reviews. Code security inspection is often done in specific code reviews focusing on security. SonarQube is a tool that, to a certain extent, can automate white-box design and testing and serve as a guide for formal code reviews. Moreover, this tool can help audit the code for potential security issues. Most web programming today uses components readily available and transparently managed by package managers, like npm for Node.js or Composer for PHP. This use must also be audited at least for potential security problems; yet traditional white-box test design would require a good understanding of the vendor code, which can be difficult/impractical to achieve. This chapter will address SonarQube as a valuable tool to automate white-box and security testing and also provide suggestions on how to manage your vendor branches when there is a need to audit/change the vendor source code.