Our software security scans both source files and binary files (software composition analysis)
While we already created a SonarQube plugin that integrates with our source code scanning, is there a way to show binary analysis in SonarQube?
Is there a way for SonarQube to show JAR\DLL results as well?
SonarQube is all about giving you the opportunity to continuously improve the quality of your software, so no you cannot analyze just binary files, and it’s a must that you actually provide the raw sources. Allows for accurate bug/vulnerability detection, and also for effective reporting so that you best know how to fix any issue.
Note that SonarQube analyzer’s definitely can use .class files and other dependency libraries, purely to guarantee an accurate analysis of your source code. That’s why for example it’s a must that the code compiles before being analyzed by SonarQube.
I’ve seen that black duck developed a plugin that shows jar/war/etc… Open source vulnerabilities in sonarqube without relying on source files…