Can I scan a third party library?

I have an app with react js and I’m using a third-party library by using < script > tag inside index.html file. Is there a way to scan that third party library with sonar qube?

Hi @Andreshm, welcome to the SonarSource Community!

I’m assuming you mean you’re using the tag like <script src="http://path-to/lib.js"> to pull in code that is outside your control, correct?

SonarQube aims to be a tool for developers to help write better & more secure code. As such, our focus isn’t on 3rd party dependency analysis, since you’re unlikely responsible for changing the 3rd party code if an issue is found.

We’d recommend you also use an additional tool to do such analysis on the dependencies you choose to pull into your projects to check them for vulnerabilities.

Hope this helps clarify!

Thank you Jeff!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.