Hi,
I’m trying to write a plugin to run security analysis using a thirdparty tool.
According to you, what is the most efficient way to execute the external tool ? Do I need to save the hole code source in a temporary location and run analysis later ? or I have to analyse file by file using the << InputFile . contents() >> ?
Thanks for your help.
EDIT :
Sonarqube version 7.4
My external analyzer is installed in the same machine as sonarqube server
Hi,
It really depends how your external tool works. Does it take advantage of analyzing all files together? Is it Java based?
If the tool produces a clean report, what you can do is to code your SQ plugin so that it simply parse this report, and let users run them self the external tool. It has several benefits:
Hi,
Thanks for yor reply.
My external analyzer is Python based, so it will be a hard task to run both Sonar and Bandit in same machine.
Further more, my external tool produce a JSON report, so it is simple to import the report by adding a property as you explained.
Even simpler might be that you convert this JSON report to the Generic Issue Format (before even running the SonarQube scan), and then import issues with one simple property at analysis time. That way no need for a plugin, and less maintenance down the road!