Closed napramirez closed 10 years ago
My setup involves numerous on-site and off-site development teams. For on-site projects, acquiring the source code is no issue. But when it comes to off-site projects, where there is a security concern governing intellectual property, I can only go as far as having the results of a Fortify scan.
Yes, I'm aware that a lot of features will not work, but I still need the numbers. Numbers of defects, severity of defects, what files are affected, etc. These kinds of information is most important in driving into a high-level decision that may or may not impact the life of the project. And clearly, this doesn't need the sources.
It may not be a good practice in SonarQube's current direction, but it's the best the API can offer. A lot of other development models (e.g. repository-based) are expressing this concern of SonarQube's dependency on the sources, so I can bet on the future that all this may change.
@napramirez The first goal of SonarQube is to be a tool used to handle quality of source code - which is why source code is central in SonarQube. Even though I can understand your case, we don't want to go in this direction.
What is the use case for such practice? If SonarQube has no access to sources, a lot of features will not work.
The Javadoc clearly specify that the method org.sonar.api.resources.File.create(String, String, Language, boolean) is for Internal use only, thus, creating a Resource like that is not a good practice. Will it still work in the future?