Should I analyze the dist folder to catch bugs found by interprocedural analysis?

ciq_dev · September 24, 2019, 2:22pm

Must-share information:

I am using SonarQube 7.9.1.
I am trying to ensure that all bugs that would be found by use of a library in a certain way are found.
I have run SonarQube with the default setting to ignore what is in my .gitignore file (so dist is ignored).

I am wondering whether I might miss finding bugs if I do not analyze dist. If my function foo() calls a library function bar() in a way that creates a bug that SonarQube would report only because of the way in which foo() uses bar(). (In other words it’s the particular combination that causes the bug.)

Is this only doable if I do analyze the dist folder populated by Webpack? Or can this be achieved without analyzing dist?

Lena · October 8, 2019, 7:31am

Indeed, if you want to know about the bugs in a dependency, analyzing its sources is the only way.
Yet we don’t recommend that, generated and third-party code should not be analyzed. In other words analyze only code which you can change/fix, focus on the quality of the code you own.