We are trying to scan our react-native project, which outputs both an Android and an iOS app. Most of the code is Typescript coming from NPM, so we started our analysis using the SonarQube Scanner (v4.8.0).
To make sure everything was working, we initially ignored the android and ios directories to scan everything else. After configuring the necessary props, this worked fine.
Now, since some of our projects to have some manual Java and Swift-code, and of course a nice list of dependencies in Gradle and CocoaPods, we would like to include those in the analysis as well.
We started with the Android-part ā adding source and binaries was easy, but we canāt figure out how to set the libraries. Now in some other posts and documentation it is said to instead use the gradle-plugin to do the analysis, but Iām not sure if that will do analysis on the NPM and iOS parts??
Does anybody have any suggestions on the best/easiest way to scan my react-project? Maybe even an example on a small project (eg the base project generated with ānpx react-native initā)ā¦
Or is it possible to maybe run the gradle-plugin on the Android directory and combine it into the results from the CLI scanner that I would (try to) run on the rest of the project?
For us one of the most important parts is to get the list of dependencies and (using the license-plugin in our Sonar) the licenses used.
That wouldnāt work. You canāt add to an analysis; only replace it. Fortunately, you donāt need to.
Analysis is always multi-language, regardless of which scanner you use. The gotcha is that for the language/environment-specific scannersā¦ well, theyāre environment-specific. So for example, if you use the SonarScanner for Maven, by default it will give a very Maven-centric, i.e. Java-centric view of whatās āsource codeā and not feed non-Java files in to analysis. The same with some older .NET projects and the SonarScanner for .NET.
Iām not actually sure whether the SonarScanner for Gradle will give you a Java-only view of the source files, but if it does, you can easily override that. And yes, the SS4Gradle will fill in the libraries for you, so thatās probably what you want to use.
Regarding the Swift code, you havenāt mentioned what edition youāre using, and support for Swift starts in Developer Edition($), so that might be a stumbling block.
Thanks for the info! I guess Iāll try to get the project running using SS4Gradle and adapt it to also scan our Node-stuff.
Also, thanks about the heads-up on Swift and Dev-Edition, I didnāt know that. We are currently on Community, but this might be a reason for us to switch to another edition ā if the company really wants those resultsā¦
