Third party / first party code analysis

Hi, does sonarqube analyze third party library imports? And does Sonarqube track variables and function calls across files and folders?


SonarQube analyzes source code. So typically the libraries you use won’t be included in analysis except perhaps as references to understand what their interfaces are.

As part of taint analysis, available in commercial editions($), SonarQube does track values across files. Additionally, 9.4 added some Java bug detection rules that do something similar. Generally, this is not the case though.