How good is it to scan open source dependencies?

Hi, I’m trying Scanner 8.2 with Python as well as Go. Wondering how good is it to scan open source dependencies? Where can I dig out if any dependency finding from the scan report? thank you,
Nan

Not to promote a different product but for open source vulnerabilities and license risk I use
WhiteSource Bolt
. The free tier is easy to use and compliments SonarQube nicely in my pipelines.

1 Like

Scanning 3rd party dependencies isn’t SonarQube’s focus, which is why you won’t be finding an obvious way to break out dependency findings from your own issues. Our emphasis is on reporting issues in code that’s under your direct control, so you as a developer can fix those issues and raise your own quality level. If you need help refining your project’s scope to just focus on the source code you’re responsible for, check out our Narrowing the Focus topic.

Of course scanning dependencies for vulnerabilities is still a great idea! If you must use SonarQube for it, consider analyzing the dependencies as entirely separate projects so you don’t create noise in your main code projects. Or consider other products instead. Here’s a nice webinar we did ~6 months ago involving our friends at Snyk, offering more clarity on how we see SonarQube versus other types of security analysis tools.

Hope this helps!