we are interested in doing analysis using Sonar cloud.
Our project is on ReactJs with Java as a backend.
We are using multiple JS plugins in the UI part like JQuery-UI, Bootstrap and datatables. When i run the Sonarqube analysis, those plugins are throwing many issues and vulnerabilities. I tried to update the plugins to the latest version which but it throws more issues.
In few forums i have read the we need to exclude the JS plugins from the sonar qube analysis. If that is true, please give us some suggestion or input.
We have few plugins we are using which are not through the node_modules, and are placed in the plugins folder and importing them in the index.html which are causing issues. Would you suggest to exclude them as well?
Whether they are imported in the index.html will not matter. If they are in the sources you want to scan, they’ll get scanned (an oversimplification, but for your purposes I think it will be useful to think of it that way!)
So it might make sense to set an exclusion for the whole directory (plugins/**/*) or just individal libraries (plugins/jquery.js,plugins/bootstrap.css)