Clarification on Java Automatic Scan limitation


I have a few things I would like clarified on the documentation of Sonarcloud Automatic Analysis


  • Security vulnerability rules are not yet supported with the following exceptions:
    • Maven - cross-site scripting is not yet supported but is available using ci-based analysis.

This sentence reads like no security rule is supported for Java with Maven, and the exception is described as not available neither. What is actually supported and what is not ?

The other feature not yet supported is coverage in Sonarcloud with automatic analysis. I found this insight and voted for it I understand an ETA won’t be communicated, but is this feature likely ? This would make the analysis almost on par. Is there an insight, or a roadmap to support the security vulnerabilities / XSS for the automatic analysis ?

Thanks for the clarifications,

I’d like to add that after an automatic analysis of one of our biggest project, Sonarcloud did find security violations, including one XSS one.


With automatic analysis of Java, you get a “pretty good” analysis result. To get a really good one (including all the most interesting rules) you’ll need to switch to a CI-based analysis that’s run after you compile.