Plugin for lua for bugs and vulnerabilities

I am using below configuration for SonarQube for my lua project.

sonar-lua-plugin-1.0.jar, sonar-scanner-

This shows only code smells not bugs and Vulnerabilities.
I wanted to know if it requires any specific report to be passed for sonar.externalIssuesReportPaths in order to show the bugs and vulnerabilities.

I have tried it with TAP
luacheck * --formatter TAP > luacheck.tap

sonar.luacheck.reportPath = ./luacheck.tap
However, it is not able to show the bugs and vulnerabilities.

Malaya Barik

Hello @malayamanjari
thanks for joining the community!
The sonar-lua plugin is not provided nor maintained by SonarSource, you should refer any problem with it to its owner. Obviously the sonar-lua project seems rather old and may be in search of some maintainers. Don’t hesitate to contribute there.
And from what I see of the proposed rules, this plugin would raise only code smells.

If you use some external analyser tool (luacheck), you may import its reports through the Generic Issue Import Format. The luacheck rules seem also mostly focused on maintainability issues (code smells) though.

Side note: I noticed that you were using an ancient (2018) version of the scanner. You should make sure that you use up-to-date versions of the scanner and SonarQube.

Best regards


is there a way to assign LUA issues with an external checker without the LUA plugin? The issues can be imported with the Generic Issue Format but how can I read (index) the source files?