Hi,
As a first step in our supply chain management we use Sonarqube to check that declared dependencies are in our approved list - effectively the inverse of the XML “Track uses of disallowed dependencies” rule (RSPEC-3417).
In order to do this I wrote a plugin years for scanning NPM package.json and Maven pom.xml files, but before spending time bringing it up to date and extending it I wondered if there was much interest in this becoming a rule in Sonarqube itself, and what the process for that would be?
1 Like
Hello,
Are you asking if we (Sonar) would be interested in taking your work and making it part of the default SonarQube distribution at some point?
Basically yes - if this type of rule would be a good addition to the core sonarqube ruleset.
Happy to try contribute a PR, but there may be cleaner ways to implement this that I don’t know of as I’m relying on an older version of the plugin APIs.
There is no place to do a PR to implement rules related to dependencies. We are working on it but it’s really early stage, so it’s better to pause your effort on your side for the time being and come back to it once Sonar products are ready to accept such a contribution.