Fortify issue population without source codes

[BuBuaBu]

What is the use case for such practice? If SonarQube has no access to sources, a lot of features will not work.

The Javadoc clearly specify that the method org.sonar.api.resources.File.create(String, String, Language, boolean) is for Internal use only, thus, creating a Resource like that is not a good practice. Will it still work in the future?

[napramirez]

My setup involves numerous on-site and off-site development teams. For on-site projects, acquiring the source code is no issue. But when it comes to off-site projects, where there is a security concern governing intellectual property, I can only go as far as having the results of a Fortify scan.

Yes, I'm aware that a lot of features will not work, but I still need the numbers. Numbers of defects, severity of defects, what files are affected, etc. These kinds of information is most important in driving into a high-level decision that may or may not impact the life of the project. And clearly, this doesn't need the sources.

It may not be a good practice in SonarQube's current direction, but it's the best the API can offer. A lot of other development models (e.g. repository-based) are expressing this concern of SonarQube's dependency on the sources, so I can bet on the future that all this may change.

[bellingard]

@napramirez The first goal of SonarQube is to be a tool used to handle quality of source code - which is why source code is central in SonarQube. Even though I can understand your case, we don't want to go in this direction.