Eg Node.js package, Go modules, and not just the project source?
It’s definitely possible, the only question is whether you would want to
There are a couple of problems with scanning third party source libraries like these:
- If you’re using a standard Quality Profile, these projects often raise a lot of issues which can mask the issues in your own code
- If you do find an issue, fixing it is not as quick or easy as fixing your own code (unless you’re maintaining your own code fork)
- If you’re scanning at the same time as your own code, you’ll be adding the time of the library scan to your overall scanning time
If you really, really want to scan this code, it’s probably best to do it in a separate project to quarantine these side-effects. To scan this code, in the case of NodeJS and Go vendor libraries, you’ll need to undo the default exclusions we have configured in the analyzers:
sonar.go.exclusions. Then add to your
sonar.sources if they’re not already part of your source tree.