Why SonarQube recommends to exclude javascript libraries from the analysis

Task : SonarQube Scanner for MSBuild - Begin Analysis (MSIT)
Description : Prepare the SonarQube analysis of your solution [Scanner Version:4.3.1.1372]
Version : 2.2.17
Author : sonarsource
Help : Version: 2.2.17. More Information

I’m trying to resolve all the major and critical bugs and vulnerabilities in my code.
As most of the issues are in the third party javascript libraries, it was suggested to exclude them.

Can I know the reason behind this as they also can be security vulnerable ?

As they are in third-party code, you’re not directly responsible for them. The main goal of SonarQube is to help you (and your team) write better and safer code, not to correct issues in someone else’s code. And unless a third-party library is also using a tool like SonarQube for finding bugs and vulnerabilities, you’re almost certain to find something in there, all the time.

Patching third-party code in your projects can lead to conflicts when updating to a newer version, which in turn can lead a team to ignore updates, which can lead to even bigger problems in the long run. Better to focus on your own code as much as possible.

Of course, if company policy requires you to use secure dependencies (as you should), you could use a tool for checking your dependencies for known vulnerabilities (like Snyk).

2 Likes