I see other scanners like bandit and gosec converts the code into AST and then walk on it to identify the vulnerabilities. Does sonarqube traverse the code the same way?
Could you share the underlying question? Or are you purely curious about how analysis works? And if the latter, could you specify the language of interest?
I am curious to understand how it actually works. How is the source code converted for analysis? is it language-specific?
I believe it’s the same in general principle but if you want specifics, you’ll need to share the language of interest.
Sure. I am looking for languages like
Those analyzers are open source, so you’re welcome to dig around in the code to find out. In the meantime I’ve tagged this
java to draw the attention of that team.