Question

vulnerability scanning mpa aka deployment package with SonarQube

0

Looking to achieve static application security testing (SAST) on .mpa file or the generated Mendix code. The current tool I have is SonarQube. I’ve been able to run the scan but it says no code found. Anyone able to resolve this?

asked 2023-05-11

Peter Mendez

1 answers

Johan Flikweert · Answer 1 · 2023-05-15

Hi Peter,

Interesting and important topic: security!

Although the visual Mendix models are precompiled to some Java code, we can't access this resulting Java code for obvious (licensing) reasons. The mpa-file is further compiled and doesn't contain source code anymore, while I expect SonarQube exactly wants to scan this high code (Java / C / ...).

I'm not familiar with SonarQube, you could ask them if and how they support Low Code platforms.

Hopefully this helps a bit!

Kind regards,

Johan Flikweert