I am using 6.7.5 version of sonarqube. I ran sonar-maven-plugin:3.2 to scan an application. From SonarQube documentation, it seems analysis is run locally and code remains on my machine. I am wondering if code is sent to Sonarqube server for displaying the issues after analysis is done with Scanner for maven.
I would not like my code to leave my machine. Can somebody explain what happens under the hood with source?
Thanks,
Kannan
Hi Kannan Corp, welcome to the community!
When the scanner runs, an analysis report is prepared which includes the current source analyzed for the project. This report is sent to the SonarQube server, processed by our compute engine, and the results finally posted within the UI. This means that, yes, your source is sent to the server and stored in the SonarQube database for use in displaying code-level metrics and issues within their code context. If you have concerns regarding this, we’d recommend you make sure your instance is secured and (re)visit your security settings within SonarQube to control who has access to the project source code.
Also, SonarQube 6.7.x is no longer supported. We strongly encourage you to upgrade at least to the current LTS release (7.9).
Thanks Jeff for the clarification. Appreciate it.
We will migrate to 7.9 or 8.x asap.