Should I analyze the dist folder to catch bugs found by interprocedural analysis?

ciq_dev · September 24, 2019, 2:22pm

Must-share information:

I am using SonarQube 7.9.1.
I am trying to ensure that all bugs that would be found by use of a library in a certain way are found.
I have run SonarQube with the default setting to ignore what is in my .gitignore file (so dist is ignored).

I am wondering whether I might miss finding bugs if I do not analyze dist. If my function foo() calls a library function bar() in a way that creates a bug that SonarQube would report only because of the way in which foo() uses bar(). (In other words it’s the particular combination that causes the bug.)

Is this only doable if I do analyze the dist folder populated by Webpack? Or can this be achieved without analyzing dist?

Lena · October 8, 2019, 7:31am

Indeed, if you want to know about the bugs in a dependency, analyzing its sources is the only way.
Yet we don’t recommend that, generated and third-party code should not be analyzed. In other words analyze only code which you can change/fix, focus on the quality of the code you own.

Topic		Replies	Views
Should I exclude the /dist folder from sonarQube scan SonarQube Server / Community Build	2	1558	October 19, 2023
Why SonarQube recommends to exclude javascript libraries from the analysis SonarQube Server / Community Build sonarqube	1	2097	May 27, 2019
Can I scan a third party library? SonarQube Server / Community Build sonarqube	3	6425	August 28, 2020
Third party / first party code analysis SonarQube Server / Community Build	1	292	June 16, 2022
Sonar.java.libraries SonarQube Server / Community Build	5	4658	February 24, 2023

Should I analyze the dist folder to catch bugs found by interprocedural analysis?

Related topics