Hi everyone,
I’m running into something odd when analyzing some small lua-style automation scripts in sonarqube. A few of them are being flagged for security and code-quality issues even though they’re pretty minimal and don’t seem to do anything unsafe.
In a recent chat about how people use scripts with executors to test and prototype lightweight logic, someone shared a few examples for learning and experimentation, and that’s where I first noticed these warnings popping up. It made me wonder whether sonarsource’s ruleset is being a bit too aggressive for this type of script, or if I’m missing a best-practice way to structure or annotate them.
Has anyone else seen similar false positives with non-traditional or embedded scripting languages? Are there recommended profiles, exclusions, or rule tweaks that make sonarqube more accurate for this kind of code?