which versions are you using - SonarQube Enterprise Edition - 8.9.2
what are you trying to achieve - Need architecture flow on how internally sonar analyzer scans code and lines of code
Need brief info on how Sonar Analyzer works internally at backend. Need complete architecture flow on how internally sonar analyzer scans code and lines of code and produces results.
Also what are the concepts and tools present when the Sonar Analyzer analyzes the code?
Hi,
Welcome to the community!
This is not something we keep lying around. Feel free to look at the code of the open source analyzers, e.g. PHP, and Java.
Also, would you mind explaining why you want this?
HTH,
Ann
Hi Ann,
Thanks for the response.
We are proposing the implementation of SonarQube in our project. Hence we need to explain the stakeholders that how our code is being scanned actually and what is happening behind every sonar scan.
I would be much helpful if i get architecture overview of how these open source analyzers work and what specific analyzers sonar scanner use to scan the code.
Thanks,
Jeba
Hi Jeba,
There’s a high-level architecture diagram on the homepage of the docs, but I doubt it’s what you’re looking for. As I said, we just don’t keep this lying around.
If you’re worried about the code being sent somewhere during analysis, it does get sent to the SonarQube server at the end of the analysis, but only there and nowhere else. Scan the network traffic during analysis if you want to verify that.
Regarding what actually happens during analysis, try turning on debug logging with -Dsonar.log.level=DEBUG on the analysis command line (docs) and you’ll learn far more than you ever cared to about what goes on. 
HTH,
Ann
Hi Ann,
Thanks for the response.
The architecture shows only the external workflow how Sonarscanner works which is pretty straight forward. I am bit worried and eager to know more on how sonar analyzers and tool associated with it is scanning each rule set of Sonarqube against the code to be scanned and producing metrics based on the outcome of the analysis.
Also on the code movement part, do our entire codebase is copied to SonarQube post analysis? If is it so, what is the data security policies we are offering ?
What is the guarantee that our code is secured? Also is there any retention policy of destroying/removing old codes?
Will the code moved to SonarQube will be removed once analysis is completed? or only metrics will be backed up?
Thanks
Jeba
Hi Jeba,
Yes
It’s not clear to me what you’re asking.
Your SonarQube instance is entirely self-managed, so the security is up to you. New instances require authentication by default. I would leave that on if I were concerned about security. Additionally, you may not want to expose your SonarQube instance to the internet.
Each project’s code will be present in SonarQube for as long as the project is. If you want to remove a project’s code from SonarQube, simply delete the project. But of course by doing that, you’ll lose all the findings on the project as well.
HTH.
Ann
Hi Ann,
Thanks for the detailed response…
Only one thing which i need to know is this 
how sonar analyzers and tool associated with it is scanning each rule set of Sonarqube against the code to be scanned and producing metrics based on the outcome of the analysis?
If you would help me with some workflows or diagram this will be much appreciated!
Thanks
Jeba
Hi Jeba,
I don’t have that to give you. Really. As I said before, several of the analyzers are open source. Feel free to go code diving.
Ann