(This was originally posted under SonarQube Cloud; posting here as it’s now available for both Cloud and Server)
Hello folks!
We introduced SonarQube Advanced Security to extend the core SonarQube values of quality and security to include the use of third-party dependencies, so developers can focus on building better, faster. Today we’re happy to announce extending that value to more of our customers’ projects.
We are announcing **beta** support for C and C++ projects built using the Conan and vcpkg package managers.
What’s included
This includes detection of publicly posted vulnerabilities, and analysis of license risks, in dependencies of projects built using either Conan or vcpkg.
How to use it
During our beta period, you must enable this at the analysis level, by passing the `sonar.sca.cfamily=true` argument to the scanner. This can be done either on the scanner commandline, or via the `sonar-project.properties` file. This restriction will be removed once this feature is GA.
This will cause the analysis to look for conanfile.py/conan.lock (Conan) or vcpkg.json (vcpkg) to determine your dependencies.
For how to set parameters, see the analysis configuration documentation for more details.
This is a beta
We are collecting feedback from our customers on their experience with this feature. Share your thoughts in the comments, or reach out for a meeting.
This is available now in SonarQube Advanced Security for both SonarQube Cloud, and ithe SonarQube Server 2025.6 release.