Must-share information (formatted with Markdown):
- SonarQube 10.4.1
- Trying to cache and scan SonarScanner CLI
We’ve been using the dotnet-sonarscanner tool (NuGet Gallery | dotnet-sonarscanner 8.0.2) with great success in our CI pipelines for both C# and C++ Visual Studio projects. Additionally as dotnet-sonarscanner is provided as a Nuget package we’re able to harden our supply-chain by using a packet-caching system such as JFrog Artifactory with its XRay scanner.
When trying to add scanning to embedded C++ projects, we found that the dotnet-sonarscanner can’t do it and that SonarScanner CLI scanner must be used. We then found that SonarScanner CLI is some ZIP file download from the SonarCube website rather than being in a proper package that can be digitally signed, cached, and scanned for supply-chain robustness.
Would it be possible to publish SonarScanner CLI as a proper package?. Ideally it would be incredibly useful to have a “God-Scanner” package which can do it all - we don’t care about the size as it will get cached once rather than dealing with lots of niggly little downloads.