The SonarSource-provided functionality in SonarQube is now bundled, meaning that any plugins used come from third parties unless written by SonarSource. While most plugin maintainers are good folks providing valuable services, there are risks associated with using plugins, including potential security vulnerabilities and instability. The Marketplace plugins undergo basic testing for functionality, acceptable behavior, and user experience, but not source code or binaries. For commercial editions, installing non-SonarSource plugins requires manual download and installation, as SonarSource cannot endorse or support them. Non-Marketplace plugins are more risky, especially those with unusual installation steps, which can increase the risk to delivery pipelines. It's recommended to run an audit and ensure that each plugin is still needed.