Friends!

Posted by Thomas Serre

https://www.sonarsource.com/blog/pytorch-tensors-neural-networks-and-autograd/

For Python application developers looking to harness the power of machine learning, understanding the foundational tools is critical. Among those tools is PyTorch, a leading open-source machine learning framework renowned for its flexibility, Pythonic interface, and dynamic approach to computation.

This guide is designed to demystify PyTorch's core components, providing you with a solid understanding of how it empowers the creation and training of sophisticated machine learning models. We'll break down the essentials into three interconnected concepts:

1. Tensors: The fundamental building blocks of data in PyTorch
2. Neural networks: The architectural models that process this data
3. Autograd: PyTorch's powerful engine that enables networks to learn from their experience

By understanding these pillars, you'll gain insight into how PyTorch facilitates the development of intelligent applications, from image classification to complex predictive systems.

What is PyTorch?

PyTorch is a foundational, open-source machine learning framework, primarily distinguished by its Pythonic interface and dynamic computation graphs. Unlike frameworks that build static graphs upfront, PyTorch's "define-by-run" approach constructs the computational graph dynamically as operations are executed, offering unparalleled flexibility for debugging and experimenting with complex or variable neural network architectures. 

At a high level, a computational graph is a way to represent a sequence of calculations as a graph. In this graph, each node represents a mathematical operation (like addition, multiplication, or a more complex function), and the edges (or arrows) represent the data (usually numbers or tensors) that flow between these operations. You can think of it like a flowchart. When you define a neural network and feed data through it, PyTorch internally builds one of these graphs. It records every step taken to get from your input data to the final output. This graph is crucial because it's what allows frameworks like PyTorch to efficiently simulate and train systems like neural networks. 

[Caption: An example of a simple computational graph.]

Typical neural network training is done using an algorithm called backpropagation. The idea is to compute the gradient of the error with respect to the parameters used in the network, starting from the end of the network and propagating them to the beginning. PyTorch uses this computational graph to calculate gradients of error during backpropagation. Autograd is a key feature of PyTorch, and it helps automate this process. 

That’s kind of a lot to take in all at once – especially if deep-learning is new to you – so let’s look at tensors, neural networks, and Autograd more in depth.

What are tensors?

Tensors are multi-dimensional arrays (scalars, vectors, matrices, etc.) that hold numerical data. For PyTorch specifically, tensors are the framework’s fundamental data structure upon which everything else is built. If you’ve ever used NumPy `ndarrays`, tensors are like that, except computation can be offloaded to accelerators such as  Graphics Processing Units (GPUs). 

Here is an example of the creation of a tensor in PyTorch.

```

data = [[1, 2],[3, 4]] # Numerical data represented as a 2x2 matrix

x_data = torch.tensor(data) # Converts the 2x2 matrix into a tensor

```

The above code takes a 2x2 matrix of numerical data and converts it to a PyTorch Tensor. The result is a specialized data structure optimized for machine learning. Tensors are used to encode the inputs and outputs of a model, as well as the model’s parameters. All data (images, text, audio, numerical features) you feed into a neural network, and all the intermediate calculations, will be represented as tensors. They are also optimized for automatic differentiation (known as Autograd). Tensors form the building blocks of PyTorch, and almost every operation in PyTorch will act on them. (Refer to the documentation for more information.)

How to represent a neural network in PyTorch?

Inspired by the human brain, an artificial neural network (ANN) is a computational model that processes data through interconnected layers to transform inputs into desired outputs. Each layer is composed of artificial neurons that are connected to neurons in the previous and next layers. Each artificial neuron receives signals from connected neurons, then processes them and sends a signal to other connected neurons. The connection between the neurons is represented by a weight, a numerical value representing the strength of the connection. The signal and the output of each neuron are real numbers. The output is computed by a function of all its inputs and the connection’s strength, called the activation function. These networks learn to perform tasks by adjusting the weights on their internal connections during a training process, allowing them to make accurate inferences and predictions. To illustrate how ANNs learn, let’s look at a simplified example: Classifying images of clothing based on the Fashion-MNIST dataset, which is often used for ML benchmarking. Such a classification model would use images of different articles of clothing to train on to be able to accurately identify a dress as a dress or a sandal as a sandal.

[Caption: A portion of the Fashion-MNIST dataset.]

Let’s build a neural network to do this. One of the most typical and simple neural network is composed of three interconnected layers:

Input layer

This is the layer that consumes the raw input. For a Fashion-MNIST image, each image is typically a 28x28 pixel grayscale image. The input layer would have 784 nodes (28 * 28), with each node receiving the pixel intensity value (e.g., a number between 0 and 255) from one specific pixel in the image. Typically,  each output signal of the neurons will be sent to each neuron of the hidden layer.

Hidden layer

This layer of nodes receives signals from the input layer and processes it further. For a Fashion-MNIST image, a hidden layer might take in groups of pixel values and start to detect rudimentary shapes, edges, or textures (e.g., identifying a vertical line, a curved edge, or a patch of rough texture). If there are multiple hidden layers, a deeper hidden layer might then combine these simpler features to recognize more complex patterns, such as a sleeve, a collar, or the shape of a shoe's sole. There can be many hidden layers, each one a network of nodes further refining and processing the data to extract increasingly abstract features.

Output layer

This layer is responsible for the final result of the processing that has occurred in the hidden layers. In the case of Fashion-MNIST, the goal is to classify the clothing item. Since there are 10 different categories of clothing, the output layer would typically have 10 nodes. Each of these nodes would represent one of the clothing categories, and the network's output would indicate the probability that the input image belongs to each of those categories, depending on the output signals from those 10 nodes (e.g., "95% chance it's a sneaker, 3% chance it's a sandal, 2% chance it's something else").

Neural Network in PyTorch

In PyTorch, `torch.nn.Module` is the foundational base class for all neural networks. You can think of it as an organized container for layers and other modules, defining the complete flow of data through your network. In essence,` torch.nn.Module` serves as the object-oriented blueprint for building neural networks.

So, if we were to build a neural network to classify Fashion-MNIST images, we would inherit from `nn.Module`. In our custom network's`__init__` method, we would set up the specific layers we intend to use. For Fashion-MNIST, this might involve an `nn.Linear` layer to handle the flattened 28x28 pixel input (784 features), followed by `nn.ReLU` for non-linearity, and ultimately another `nn.Linear` for the 10 output classes. Then, in the forward method, we would define the computational sequence, dictating how an input image (represented as a tensor) moves through these layers to produce a classification prediction. PyTorch’s built-in classes and methods for these complex computations mean that you can focus more on architecting and training powerful models rather than implementing the intricate mathematical operations yourself.

Below is an example of how we might do this with PyTorch. This example is derived from the PyTorch documentation, where you can see the details of this implementation.

```

# The following class defines the architecture of the model

class ClothingClassification(nn.Module): # Here is where we use PyTorch’s nn.Module class to inherit from

    def __init__(self):

        super().__init__()

        self.flatten = nn.Flatten()

        # The following are all different layers that operate on the data in the order they are declared here

        self.linear_relu_stack = nn.Sequential(

            nn.Linear(28*28, 512),

            nn.ReLU(),

            nn.Linear(512, 512),

            nn.ReLU(),

            nn.Linear(512, 10)

        )

     # The following defines the computational flow of data as it’s passed

     # from node to node and layer to layer

    def forward(self, x):

        x = self.flatten(x)

        logits = self.linear_relu_stack(x)

        return logits
```

How does the neural network learn, what is Autograd?

Initially, as data flows through the layers of an untrained neural network, the computations result in largely random and incorrect outputs. This is because the network has not yet learned how to accurately process the data. To enable the network to produce correct and expected outputs, we need to teach it by systematically adjusting the mathematical relationships (connection weights for example) within its hidden layers through a process called training. In other words, we need to retrace our steps through our calculations to see where we went wrong.

A common and very powerful algorithm used to train neural networks is backpropagation. This algorithm systematically adjusts the parameters within the network's layers to minimize the difference between its predictions and the correct answers. While backpropagation is essential, performing these intricate calculations by hand for every parameter in a large neural network would be incredibly arduous, tedious, and highly prone to errors. Fortunately, PyTorch provides Autograd  – an automatic differentiation engine that lies at the heart of neural network training.

At a high level, Autograd keeps the dynamic computational graph to compute the function gradient. This graph precisely tracks all the mathematical operations and "steps" taken to reach the output. Because it's generated on the fly, you can even use standard Python control flow like if/else statements and for-loops within your network's logic, but be aware that this is not a good practice. 

When the model produces an incorrect prediction (quantified as the loss function), Autograd enables it to efficiently move backward through this computational graph, from the output layer to the input. Using the gradients computed at each step, each parameter is updated to reduce the loss, effectively teaching the network to make more accurate predictions over time.

Conclusion

AI and ML are formidable new additions to our arsenal of tools. However, as this discussion has highlighted, a deep comprehension of these tools is essential. PyTorch's power is matched by its complexity, creating pitfalls for the unwary developer. To understand PyTorch complexity and writing flawless code, automated enforcement is a must have. In our next blog post, we'll dive into the practical application of this safeguard, exploring specific static analysis rules designed to verify your PyTorch usage, and ensure you're leveraging its power correctly and securely.

https://www.sonarsource.com/blog/pytorch-tensors-neural-networks-and-autograd/

Posted by Robert Curlee

https://www.sonarsource.com/blog/sonarqube-compare-editions/

In today's fast-paced software development landscape, ensuring code quality and security is paramount. SonarQube has emerged as a leading automated code review platform that empowers development teams to achieve a high level of code quality and code security. It excels at quickly analyzing code, identifying a wide range of issues from bugs and security vulnerabilities to technical debt, and offers valuable guidance on how to improve code as you develop. 

For users who want to control where and how the platform is deployed and self-upgrade at their own pace, SonarQube is available in several distinct offerings, which are covered in this article. These separate offerings are designed to support individuals, small teams, growing businesses, and large enterprises with capability that meets the complexity and scale of each group. For users who don’t want to manage SonarQube deployment and prefer the ease of maintenance free use, SonarQube Cloud and its various plans are better suited for you.

If you’re not familiar with the different SonarQube offerings: Community Build and SonarQube Server Developer, Enterprise, and Data Center editions, we’ll cover each in this article. By understanding the features, benefits, target audience, and key differences of each, organizations and individuals can make an informed decision about which one best suits their specific needs.

SonarQube Community Build: the starting point for code quality

SonarQube Community Build serves as the foundational, free, and open-source offering of SonarQube for those who want to keep control over installation and upgrades themselves. It offers a powerful entry point for very small development teams and individuals looking to enhance their developer productivity and overall code quality and code security of small development projects. As an open-source tool, its source code is publicly accessible, fostering transparency and community involvement.

SonarQube Community Build boasts support for a significant number of popular and classic programming languages, frameworks, and web technologies. It includes coverage of widely used languages such as Java, C#, Python, JavaScript, and Typescript plus over 15 other languages and IaC technologies. 

Refer to our official documentation to see the complete list of languages and frameworks supported for each language to ensure SonarQube Community Build has coverage for your specific needs. Languages such as C, C++, Obj-C, Dart/Flutter, Swift, ABAP, T-SQL, PL/SQL, YAML, JSON, Ansible, GitHub Actions, Apex, COBOL, JCL, PL/I, RPG and VB6 are only available in SonarQube Server, and the latest documentation should always be consulted to confirm the current status as Sonar regularly adds new languages and frameworks.

Furthermore, SonarQube Community Build offers robust integration capabilities with leading DevOps platforms, including GitHub, GitLab, Azure DevOps, Bitbucket, and Jenkins, supporting integrating with both cloud and self-managed instances of each. This integration allows for the automation of regular code reviews, providing developers with immediate feedback on code health directly within their familiar development workflows. 

A key feature of the Community Build is the "Sonar Quality Gate." This provides a clear and immediate indication of whether the new or modified code meets predefined quality standards. Beyond code quality and security, another important standard is a project's code coverage metrics, offering insights into the extent to which the codebase is covered by unit tests. By failing build pipelines when code quality doesn't meet these standards, it helps prevent problematic code from being released into production, thereby reducing risks and costs associated with late discovery of issues. The Community Build is also known for its fast analysis speed and accuracy and provides shared, unified configurations for consistent analysis across projects. Integration with SonarQube for IDE is another significant advantage, enabling developers to identify and fix coding issues in real-time as they write code within their integrated development environment. The "Connected Mode" feature further enhances this by linking the IDE to SonarQube, ensuring that developers are working with the same set of rules and configurations.

Despite its robust features and because it is geared for individual developers and very small teams, SonarQube Community Build does not contain features that are useful for larger teams. It lacks some advanced functionalities such as branch and pull request analysis and detailed quality gate information in the comments of the pull request, which are crucial for collaborative development workflows. Advanced security features like taint analysis, which helps in identifying potential security vulnerabilities by tracking data flow, and more comprehensive secrets detection for popular private web services are also absent. Additionally, it does not offer application or portfolio management capabilities for aggregating projects and providing executive oversight across projects. A notable performance consideration is larger teams tend to submit analysis requests at the same time and Community Build can only process a single analysis at a time which would slow down larger teams and organizations with multiple teams. Finally, Community Build does not include enterprise level reporting for compliance with common security standards or specific regulations.

The target audience for SonarQube Community Build typically includes individual developers who are keen on improving their coding practices and code quality, as well as small teams and startups that may have budget constraints. It is also an excellent choice for open-source projects that can leverage its free static code analysis capabilities. Furthermore, engineers interested in exploring the SonarQube API for custom integrations might also find Community Build suitable for initial experimentation.

Support for SonarQube Community Build is primarily provided through the active Sonar Community forum. Users can engage with other community members, ask questions, and share their experiences. It's important to note that commercial support with guaranteed response times and dedicated technical assistance is not available for our open source offering.

SonarQube Developer Edition: empowering development teams

SonarQube Developer Edition represents the first commercial tier, specifically designed to empower small to medium size development teams with enhanced collaboration and efficient development workflows to specifically support software development in a corporate setting. It includes capability crucial for teams working on projects that require a higher level of code quality and security checks and broader coverage of different languages and frameworks to ensure your software is ready for production and future proof.

A significant addition in the Developer Edition is the capability for branch and pull request analysis and pull request decoration. This allows teams to analyze code changes in isolated branches and within pull requests before they are merged into the main codebase. SonarQube then provides feedback directly within the comments of the pull request, highlighting any new issues that the changes might introduce directly within the DevOps platform. This proactive approach helps prevent the introduction of bugs and vulnerabilities into the main branch, ensuring a main is always in a production-ready state. This is important for DevOps teams to be able to trigger continuous integration at any moment and ensure the build is free of issues. SonarQube even identifies issues in the target branch that will be resolved by merging the pull request, providing a comprehensive view of the positive impact of the merge.

The Developer Edition also includes enhanced Static Application Security Testing (SAST). This involves more sophisticated analysis techniques, including taint analysis, which tracks the flow of data through the application to identify security vulnerabilities, such as SQL injection, where untrusted data might be used in a harmful way. Advanced dataflow bug detection finds more complex bugs other tools can’t find, preventing runtime errors and crashes. Another valuable feature is more powerful secrets detection, which identifies and prevents the accidental exposure of sensitive information like API keys and passwords used in over 200 common private, commercial, and enterprise cloud services and APIs.

The Developer Edition expands the language support to over 30 languages and frameworks. This includes more specialized languages used in commercial application development, catering to a broader range of development environments and more complete coverage of the types of software built by companies. Furthermore, the Developer Edition includes AI Code Assurance to help companies verify all AI generated code meets their code quality and code security standards. AI Code Assurance can be used to automatically detect and flag projects that contain AI-generated code and then it puts those projects through a more rigorous code review process to ensure the AI generated code passes strict standards. 

The Developer Edition is recommended for codebases with 100K+ Lines of Code (LOC). The pricing for the commercial editions is based on the number of lines of code in each project marked for analysis. It's important to note that the LOC count excludes blank lines, comments, and test code. The target audience for the Developer Edition is small to medium size professional development teams working on projects that require a more comprehensive approach to code quality and security than what the free Community Build offers. DevOps teams that need to collaborate effectively on code changes through branches and pull requests will find this edition particularly beneficial. Commercial support is available for users of the Developer Edition, providing access to technical assistance and resources beyond simply asking questions in the Sonar Community.

SonarQube Enterprise Edition: code quality and security at scale

SonarQube Enterprise Edition is designed as the solution for organizations looking to scale their code quality and security initiatives across multiple teams and larger codebases. It includes everything in Developer Edition and additional capabilities focused on providing deeper insights, enhanced performance for enterprise-level usage, comprehensive reporting capabilities, and enterprise identity and access management (IAM).

This edition expands the language support to a total of 35+ languages and frameworks. This includes additional languages used in enterprise companies such as Apex, COBOL, JCL, PL/I, RPG, and VB6, catering to organizations that maintain legacy systems or use specialized technologies. Enterprise Edition boosts support for unlimited integrations with all DevOps platforms: GitHub, GitLab, Azure Devops, and Bitbucket. This means multiple teams within different business units with varying needs and development workflows can all be centrally supported by one SonarQube Server instance with governance of common standards across all teams.

For better oversight and management of code quality and security across large organizations, the Enterprise Edition includes aggregating projects into both applications and portfolios. Unified portfolio management, enables the consolidation of multiple projects and applications into a single view, providing a holistic perspective on code quality and security across your defined portfolio. Enterprise Edition also provides detailed project health insights with downloadable project, application, and portfolio PDF reports, offering a more comprehensive understanding of the overall status of code quality and security at the desired level. It also includes downloadable security compliance reports that can be used to demonstrate compliance with the top security standards: CWE, OWASP, PCI DSS, STIG, and CASA. To handle the demands of larger teams and codebases, the Enterprise Edition offers improved performance, ensuring efficient analysis even with a high volume of code changes. AI CodeFix further accelerates developer productivity by offering AI generated code solutions for issues at the click of a button to boost resolution at the speed of AI. 

The Enterprise Edition further enhances security capabilities with security engine customization, allowing organizations to tailor the security analysis engine to understand your internal APIS for performing more powerful taint analysis and to detect private secret patterns specific to your internal services. The Enterprise Edition also includes an extra license for a staging environment, facilitating testing and validation of SonarQube configurations before deployment in production. It also provides enhanced monorepo support, including guided setup of a mono repo and showing code health status in the comments of a monorepo pull request, making it easier to manage and analyze code within large monolithic, multi-project repositories.

The Enterprise Edition is recommended for organizations with 1M+ Lines of Code (LOC). The primary target audience is larger enterprise companies with numerous development teams and larger, more complex projects, as well as organizations with stringent security and compliance requirements that necessitate comprehensive reporting and centralized management of code quality and security. Standard commercial support is included for Enterprise Edition instances with 30M+ LOC, and 24/7 white glove premium support is also available for enhanced assistance.

SonarQube Data Center Edition: performance, high availability, and scalability

SonarQube Data Center Edition represents the pinnacle of the SonarQube Server offerings, designed for the largest and most critical deployments that demand maximum performance, high availability, and scalability. It is engineered to handle extreme loads and ensure business continuity through its robust architecture.

Building upon the features of the Enterprise Edition, the Data Center Edition introduces several key enhancements focused on resilience and performance. It offers Kubernetes autoscaling based on demand, allowing the system to automatically adjust resources to handle fluctuating workloads, ensuring consistent performance while optimizing cost. It also has improved high performance for distributed teams, providing efficient analysis even under extreme loads and in geographically dispersed development environments. To ensure high availability for service integrity, the Data Center Edition features component redundancy, eliminating single points of failure and guaranteeing continuous operation for mission-critical code quality and security analysis. The data resiliency for business continuity is a core aspect, ensuring that data is protected and can be recovered in the event of failures, safeguarding business operations. It includes all the capability of Enterprise Edition such as unlimited DevOps integrations and the expanded language support for over 35 languages.

The Data Center Edition is recommended for organizations with 20M+ Lines of Code (LOC), and its licensing follows the same LOC-based model per instance per year. The target audience for this edition comprises very large enterprises with massive codebases and a high volume of analysis. Organizations that require mission-critical code quality and security analysis with guaranteed uptime and performance, and companies with globally distributed development teams that need a highly scalable and available solution will find it suitable. Standard commercial support is included with the Data Center Edition, along with 24/7 white glove premium support for immediate and expert assistance.

SonarQube Server Feature Comparison 

This table lists some of the key features important to companies evaluating what’s right for them:

Note: Pricing details for commercial editions may vary and require contacting SonarSource sales.

Choosing the right SonarQube Server edition

Selecting the most suitable SonarQube Server edition depends on a multitude of factors specific to an organization's or individual's needs. Team size and structure play a significant role. For individual developers or very small teams just starting with code quality analysis, the Community Build offers a robust and free foundation. As development teams grow and require more collaborative features, the Developer Edition becomes a valuable upgrade. Larger organizations with multiple teams and complex projects will likely find the Enterprise Edition better suited to their needs, offering centralized management and comprehensive reporting. For very large enterprises with massive codebases and mission-critical applications, the Data Center Edition provides the performance, scalability, and high availability required.

The complexity and size of projects are also crucial considerations. While the Community Build can handle smaller projects effectively, the Developer Edition is recommended for medium-sized projects. Enterprise Edition is designed for large and complex projects, and the Data Center Edition is tailored for very large projects with extensive codebases.

Security requirements are another key differentiator. The Community Build offers basic security checks, while the Developer Edition enhances these with advanced SAST and advanced secrets detection. Organizations with strict security and compliance requirements will benefit from the Enterprise and Data Center Editions, which provide comprehensive security reporting and customization options.

Scalability needs are paramount for growing organizations. The Community Build has inherent limitations due to its single-threaded nature. The Developer Edition offers some scalability improvements, but the Enterprise Edition is better equipped to handle larger teams and codebases. The Data Center Edition provides the highest level of scalability and high availability through features like autoscaling and component redundancy.

Budget is always a significant factor. The Community Build is free but has limited capabilities. The Developer, Enterprise, and Data Center Editions are commercial offerings with increasing costs and features. The pricing for these commercial editions is based on the number of lines of code in the projects to be analyzed and requires contacting SonarSource sales for specific quotes. Organizations should carefully estimate their current and future codebase size to choose an edition that aligns with their budget and growth plans.

Support requirements should be considered. The Community Build relies on community support, while the commercial editions offer varying levels of commercial support, with the Enterprise and Data Center Editions providing premium support options.

As teams and organizations evolve and their needs become more sophisticated, upgrading from the Community Build to a commercial edition unlocks significant benefits. Features like branch and pull request analysis, code health status in the the comments of pull requests, advanced security analysis, and enhanced scalability become crucial for maintaining code quality and security at scale.

Conclusion

SonarQube offers a range of Server editions designed to meet the diverse needs of the software development community. The Community Build provides a solid, free foundation for improving code quality. The Developer Edition empowers development teams with essential collaboration features and deeper analysis capabilities. The Enterprise Edition enables organizations to scale code quality initiatives across multiple teams with comprehensive reporting and management tools. Finally, the Data Center Edition delivers the ultimate in performance, high availability, and scalability for the largest and most critical deployments.

Choosing the right SonarQube Server edition is a critical decision that should be based on a careful assessment of an organization's or individual's specific requirements, including team size, project complexity, security needs, scalability demands, and budget. Readers are encouraged to visit the official SonarSource website for the most up-to-date information on features and pricing and to consider requesting a demo or free trial of the commercial editions to experience their benefits firsthand. By selecting the appropriate SonarQube Server edition, development teams significantly enhance their code quality, improve security, and ultimately deliver better software.

https://www.sonarsource.com/blog/sonarqube-compare-editions/