There’s some confusion of SAST and SCA – could you explain it more?
I have a given situation:
let’s say I download a Python code (or whatever language) from github.com – and I add this into my project. Could SonarQube scan and cover it just like it was my own code (I developed)?
Or should I need a SCA tool (like Snyk) in that case?
In other words… do I need another tool (besides SonarQube) to make sure that 3rd-party code snippets are safe and clean?
We recommend against it because it tends to overwhelm the results on your code with stuff you can’t (shouldn’t) do anything about. For instance, if we find a bug in a library, are you going to fix it in your copy of the library? If you do, then you’re stuck making the same fix every time you upgrade the library. And what if you have multiple projects using that same library? You’re going to analyze it with every project and make the fix in each one? It’s an unsustainable distraction from what you can control: keeping your own code clean.