vulnerability scanning mpa aka deployment package with SonarQube

Looking to achieve static application security testing (SAST) on .mpa file or the generated Mendix code. The current tool I have is SonarQube. I’ve been able to run the scan but it says no code found. Anyone able to resolve this?  
1 answers

Hi Peter,


Interesting and important topic: security!


Although the visual Mendix models are precompiled to some Java code, we can't access this resulting Java code for obvious (licensing) reasons. The mpa-file is further compiled and doesn't contain source code anymore, while I expect SonarQube exactly wants to scan this high code (Java / C / ...).


I'm not familiar with SonarQube, you could ask them if and how they support Low Code platforms.


Hopefully this helps a bit!

Kind regards,

Johan Flikweert