I’m using the Community Edition of Sonarqube + Sonarscanner to make an opinion before switching to an Enterprise Edition.
I would like to audit some of my team’s applications but I am having difficulties and I would like to know if I am the one missing an option:
The application I want to audit is based on Maven and contains Java.
During the build phase, I realize that I don’t have access to several dependencies that the application uses and I don’t have the possibility to access them.
I know that I will miss a lot of elements without compiling my application, but is it possible with Sonarqube to do an analysis on the code without compiling it in order to have a first view on the security status of the application?
I believe you can cheat on this requirement by specifying sonar.java.binaries=[a valid directory]. I have seen people use sonar.java.binaries=. which can be expensive, since it will cause a recursive search for the .class files, but I think it works.
But if you tell anyone I told you this, I’ll deny it.
To be super-clear on this, you will not get a first view of the security status of the application because
without the .class files, there will be too little data about the application for analysis to give you this information
if you’re after security status then you should really be testing with at least Developer Edition($) (and.class files)
Note that you can get a 2-week trial of Developer Edition or Enterprise Edition($$) for free, so there’s no need to hobble your evaluation of Enterpise Edition by using Community Edition.