Taint analysis capability

Hello, I read that there is taint analysis starting from the Developer edition. For gitlab integration, if there are variables or functions referenced from another repo, can the taint analysis algorithm catch that too? Or does taint analysis require that these variable / functions be defined and used in the same repo? If inter-repo taint analysis is possible, I assume it’s required that I import all these relevant repo into Sonarqube, right?

SonarQube maintains a list of sources/sinks/sanitizers/validators/passthroughs for common frameworks, and this can be extended to include custom configuration beginning in Enterprise Edition. What repos you have imported will have no effect on oneanother.

Does this mean the sonarqube’s taint analysis works on third party libraries and not codes in my repo?

It works on both – but for example, if you’re defining a validator/sanitizer in your own code, or you’ve crafted your own library to execute database queries (the “sink”), you would need features in the Enterprise Edition to let SonarQube know about those functions.

Are these features activated by default in the enterprise edition? would be nice if I don’t need to do anything.

It requires additional configuration – it’s a nice idea to be able to do something like automatically detect user-defined validators, and it’s something we might implement in the future, but today configuration is required.

Awesome thanks @Colin !