I am an appsec engineer interested in using Sonar Cloud for static security scanning. What I need to understand is how Sonar Cloud handles “second party dependancies” (code written by us but not immediately available to source code analysis). If, say, a string comes into an API endpoint, passes through a nuget package that we built, and then goes into a SQL statement, how does Sonar cloud handle that? It can’t see all the code all at once because it either analyzes the API code or the nuget package code but not both at the same time. Does it treat the call to the nuget code as if it doesn’t exist and continue analyzing the code, or does it simply not analyze code it doesn’t have and stop when it sees the call to the nuget package?
Imagine a situation where a nuget package calls into the database, adds the result of a SQL query onto a string that it is passed, and then returns the final string. There could be, say, second-order SQL injection vulns involving nuget packages and we wouldn’t have any visability into them, right?
All static analysis solutions have blind spots of some sort and I want to understand blindspots in Sonar Cloud relating to second party code better.