Sonar is excited to announce SonarQube Advanced Security, extending SonarQube’s analysis capabilities beyond first-party and AI-generated code to include third-party open source code. With this, we’re delivering the first fully integrated solution for finding and fixing code quality and code security issues in the development phase of the SDLC.
The first step in integrating Sonar’s recent acquisition of Tidelift, SonarQube Advanced Security strengthens a robust set of existing security capabilities with Software Composition Analysis (SCA) and advanced Static Application Security Testing (SAST).
SonarQube Advanced Security General Availability (GA) is planned for May 2025, and will be available as a new license on top of version SonarQube 2025.3 Enterprise Edition. For SonarQube Cloud Enterprise, it is expected to be available shortly after that. Stay tuned for more information!
Will license compliance functionality be able to highlight where a project uses mutually incompatible licenses? eg, where “X on its’ own” is fine and “Y on its’ own” is also fine… but X and Y have terms that contradict each other and so they cause problems when appearing in the same project?
Which SBOM format(s) will be supported?
Will they include evidence such as callstack information?
Will they support concluded as well as declared licenses?
Edit: this was supposed to be a reply to the original post (ie, @manish.k )
License functionality is starting with “are these licenses allowed or denied by your policy”. Interactions between licenses are a complex topic.
SBOM formats will be CycloneDX and SPDX, in JSON and XML form. Where Sonar researchers have researched a more accurate license than what may have been posted on the upstream package manager, we will have different declared and concluded licenses.
We are not doing call stacks in SBOMs at this time.