There’s some confusion of SAST and SCA – could you explain it more?
I have a given situation:
let’s say I download a Python code (or whatever language) from github.com – and I add this into my project. Could SonarQube scan and cover it just like it was my own code (I developed)?
Or should I need a SCA tool (like Snyk) in that case?
In other words… do I need another tool (besides SonarQube) to make sure that 3rd-party code snippets are safe and clean?
Thank you
Hi,
If you have the code in your project, then you can analyze it with SonarQube. However, we generally recommend against analyzing libraries.
If you’re dealing with external libraries, then you’ll definitely need to involve another tool.
HTH,
Ann
Why do you recommend against it ? (assuming you have the source I mean)
Thank you
Hi,
We recommend against it because it tends to overwhelm the results on your code with stuff you can’t (shouldn’t) do anything about. For instance, if we find a bug in a library, are you going to fix it in your copy of the library? If you do, then you’re stuck making the same fix every time you upgrade the library. And what if you have multiple projects using that same library? You’re going to analyze it with every project and make the fix in each one? It’s an unsustainable distraction from what you can control: keeping your own code clean.
HTH,
Ann
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
Hello from the future!
We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.
Please see this announcement for more details.