We are a company that introduces penetrating test and source code analysis services. We are investigating a new sast tools and wondering Sonarqubes. Our criterion is that scanning applications without compiling. For example Checkmarx SAST Tool introduce this functionality. Is there any option in sonarqube that do scanning such as c, c++, java, c# applications without compiling?
We are considering Sonarqube Enterprise solution and used Sonarqube Community Edition deployed as docker image. We couldn’t find an option that do scanning applications without compiling.
According to ChatGPT, “Scanning for instance Java applications without compiling in SonarQube requires the use of SonarQube’s standalone scanner, commonly known as SonarScanner”. Is that true? Is it possible in Sonarqube Scanner?
For C/C++ and .NET applications, no, you must compile.
For Java, a best-effort analysis can be performed, but the analysis results are degraded.
Why is it a strict requirement that you don’t compile the code?
Thank you for your answer. I understand.
This requirement is about time problem. When we analyze applications’ source code of a customer firm, first of all they should be able to compile their projects properly and successfully without errors in our installed sonarqube environment and this is so time consuming. Because many consumers technically struggle when they are installing their development environment in our enviroment. As a consequence of this, analyzing process shrinks. We are looking for a non-compiling solution as we do not want to sacrifice time. This affects financially.
I am aware that scanning with compiling solutions give more robust and efficiency results. But our services are affected badly from this style of sast.