Advance security capabilities

Hello all community members,

I’m trying to check all the capabilities of the SCA part of advance security module. We are currently benchmarking jfrog xray product and it seems very good. Like we are already using sonarqube enterprise product to check code source quality, the advance security module seems interresting. i’ve two main concerns about this module. It seems that the package file is sent to sonar cloud even for the on premise version of sonar server. is it already the case? Second point is about the management of a product for which one several version are in production and we need to follow the vulnerabilities on each of them during their lifecycle. What are the capabilities of the module about this kind of product? And the capabilities of the tools about the management of the vulnerabilities lifecycle.

Best regards,

Hi,

Welcome to the community!

Yes. Per the docs, we’re always updating our central dataset, and your manifest is sent to check it against the latest licenses and vulnerabilities. If we didn’t do that then you would be checking your code against whatever we knew when your installed version of SonarQube Server was released. If you updated to each new release promptly, that would mean only as much as a 2-month lag on vulnerabilities between upgrades. (But let’s be serious. How many enterprises upgrade on release day?)

If I understand correctly, you’re asking about whether SCA is available for each of your branches under analysis in SonarQube? If so, the answer is “yes.” Configuration options are detailed in the docs.

 
HTH,
Ann