We are exploring how to effectively do Static code analysis on Unity projects (made for mobile app)
As per our research, there are a few options:
However, the problem is that these options only scan at C# level. For our project, we will need to compile into XCode and Android projects.
So my questions are:
- Is it considered secure if we only just scan at C# level ?
- Does Unity3d have any warranty on the compiled projects so that we do not need to scan at that level ?
- Or can we exclude Unity3D source code (in the mobile app’s projects)
The reason for this question is at lower level the number lines of code could be 10M or even more, while the C# level is usually <1M.
And service like Sonar Qube or Sonar Cloud will charge by number of lines of code
- Lastly, do you know if for Microsoft analyzer, they have a commercial product for it. Just in case, we can consider that as another commercial option.
Read more here: Source link