File analysis using an external tool - the most efficient way

Hi,

I’m trying to write a plugin to run security analysis using a thirdparty tool.

According to you, what is the most efficient way to execute the external tool ? Do I need to save the hole code source in a temporary location and run analysis later ? or I have to analyse file by file using the << InputFile . contents() >> ?

Thanks for your help.

EDIT :
Sonarqube version 7.4
My external analyzer is installed in the same machine as sonarqube server

Hi,

It really depends how your external tool works. Does it take advantage of analyzing all files together? Is it Java based?

If the tool produces a clean report, what you can do is to code your SQ plugin so that it simply parse this report, and let users run them self the external tool. It has several benefits:

  • users control all tool parameters
  • in case of failure, it is easier to investigate, because the two steps are properly separated
  • coding the plugin is simpler (you just have to add one property to pass the report path, and then the report parser)
2 Likes

Hi,

Thanks for yor reply.

My external analyzer is Python based, so it will be a hard task to run both Sonar and Bandit in same machine.

Further more, my external tool produce a JSON report, so it is simple to import the report by adding a property as you explained.

Even simpler might be that you convert this JSON report to the Generic Issue Format (before even running the SonarQube scan), and then import issues with one simple property at analysis time. That way no need for a plugin, and less maintenance down the road!:ok_hand: