Sonarqube finds vulnerabilities and you can check code flow for particular vulnerability.
But code flow IS ALWAYS INSIDE ONE SOURCE CODE FILE. That means entry point and exit point for vulnerable code flow is always inside one file, while real code flow go through multiple files.
I intentionally created vulnerable code splitted into 2 files, sonarqube found vulnerability in 2nd file, but code flow doesn’t go to 1st file to real entry point.
I also tried few more tests and verified that 1st file doesn’t matter at all.
The most strange thing here - to perform a scan - Sonarqube requires compiled classes and official documentation says - compiled classes are required only if project contains more than one source file.
So why sonarqube requires .class files for project with more than one java file, if code flow is not analyzed across all files?
Sonarqube version: 8.5