Interview › Security & DevSecOps
What is the difference between a bug, a vulnerability, and a code smell in SonarQube? [Basic]
Answer
In SonarQube, a bug is a likely correctness problem, a vulnerability is a security flaw with a concrete exploit risk, and a code smell is a maintainability issue that may make future changes riskier or slower.
Technical explanation
Bugs affect reliability, such as null dereference or incorrect logic.
Vulnerabilities affect security, such as injection, weak cryptography, or unsafe deserialization.
Code smells affect maintainability, such as duplicated code, overly complex methods, or dead code; they are usually not immediate incidents but still create debt.
Hands-on example
Hands-on triage: treat new critical vulnerabilities as merge blockers, high-confidence bugs as blockers or required fixes, and code smells based on severity and team standards. Convert accepted technical debt into tracked backlog items rather than ignoring it.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]