I’m working on a small project that uses a lua-based roblox script, and when I run it through sonarqube I keep seeing a lot of warnings about things like dynamic execution, unsafe functions, and possible security risks.
What’s confusing is that this kind of script is meant to run commands at runtime, similar to how delta executor scripts work, so the behavior sonar flags as “dangerous” is actually required for it to function.
I’m not trying to ignore real issues, but I also don’t want to mark everything as a false positive if this is just how these scripts normally behave. Has anyone else dealt with this when scanning game or automation scripts?
Just looking for a better way to handle these kinds of results without breaking the workflow. Thanks!
So first, I should point out that we don’t natively support Lua. You’re getting that with a plugin. Which is awesome! And it’s possible the maintainers didn’t follow all of our conventions in crafting the Sonar way profile, so take what I say next with a grain of salt.
For Sonar-native Sonar way profiles, we try to keep in mind how the language is typically used, and what rules make sense ~90% of the time. I’m not familiar enough with Lua to know if your usage is typical and thus whether or not these rules make sense in the Sonar way profile for Lua. But I can say that it doesn’t sound like they make sense for your current project. If the point of the project is to dynamically execute commands at runtime, then you should consider a custom quality profile that includes only the rules that reflect your needs. An easy way to get started on that would be to inherit from the existing Sonar way profile and disable these rules that aren’t relevant in the child profile. Then don’t forget to either make your new profile the default or explicitly assign it to your project.