Can SQ also check for vulnerabilities in project modules?

Eg Node.js package, Go modules, and not just the project source?

Hi @IdanAdar,

It’s definitely possible, the only question is whether you would want to :slight_smile:

There are a couple of problems with scanning third party source libraries like these:

  • If you’re using a standard Quality Profile, these projects often raise a lot of issues which can mask the issues in your own code
  • If you do find an issue, fixing it is not as quick or easy as fixing your own code (unless you’re maintaining your own code fork)
  • If you’re scanning at the same time as your own code, you’ll be adding the time of the library scan to your overall scanning time

If you really, really want to scan this code, it’s probably best to do it in a separate project to quarantine these side-effects. To scan this code, in the case of NodeJS and Go vendor libraries, you’ll need to undo the default exclusions we have configured in the analyzers: sonar.javascript.exclusions and sonar.go.exclusions. Then add to your sonar.sources if they’re not already part of your source tree.



1 Like