Restriction of the download of scanner plugins to those that are essentially needed

Hello @anon67236913,

Thanks for the feedback.

In the context of improving the performance of the scanner and not spending time downloading plugins for nothing, we did attempt to make the Scanner clever enough to guess which plugins are required or not according to the files that will be analyzed. Unfortunately, we stopped that initiative because, from a performance perspective, it was not better or worst.

The scanner has access to the Sonarqube server settings, so if only java sources to be scanned, it should be sufficient to only download the Sonar core and Java plugin !?

The thing is that we can’t trust the previous analysis of a given project to determine which plugins are required. Imagine that you are playing with sonar.inclusions|exclusions parameters and you decide now to include more files, and more languages. Looking at SQ server settings won’t work. That will be the same if you were doing just Java in your project and then you decide to have in your repo some Python or TypeScript files.

The underlying need here is to be in control of what will be downloaded/executed on Scanner side and maybe one solution could be to give the freedom to project administrators to activate/deactivate analyzers/3rd party plugins at a project level.

What do you think about this idea? Would that work for you to go into your 100+ projects and customize the “plugins” activated?

Alex

2 Likes