Hi folks!
We introduced SonarQube Advanced Security to extend the core SonarQube values of quality and security to include the use of third-party dependencies, so developers can focus on building better, faster. Today we’re happy to announce extending that value to more of our customers’ projects, by allowing analysis of a Software Bill of Materials.
What’s included
Analysis of a Software Bill of Materials (SBOM) provided in CycloneDX or SPDX format.
How to use it
Analysis is done by passing the sonar.sca.sbomImportPaths parameter to the Sonar scanner, either by a direct scanner parameter at scan time, or in sonar-project.properties.
sonar.sca.sbomImportPaths is a comma-separated list of SBOM files to import and analyze.
Note that files must have specific naming/extensions based on their format; for more information see the analysis documentation for a list of supported filenames / file extensions.
Caveats
There is limited support for license risks for packages discovered via an imported SBOM.
This is a beta
This beta is available now for SonarQube Advanced Security, for both SonarQube Cloud and SonarQube Server 2025.6.
We are collecting feedback from our customers on their experience with this feature. Share your thoughts in the comments, or reach out for a meeting.