CVE-2018-8292 alert in Github but not from SonarQube Scan

Hi ,

We have application source code in Github and CI pipeline integrated with SonarQube running via Azure Pipeline.

Now with Github native security feature we are seeing alert


However the same through Sonar Scanner is not coming as Security hotspot or vulnerability. Could you please explain why there is a mismatch I am experiencing.

Hi Prasenjit and welcome to the community!

GitHub is warning you about a vulnerability in a dependency, so-called Software Composition Analysis (SCA). At this time we are focussing on Static Application Security Testing (SAST) though and do not provide SCA.

Welcome :slight_smile:

if using Sonarqube on prem, you may try the community plugin (not supported by Sonarsource)


1 Like

Hi Hendrik ,

That makes sense now to me . Thanks for the help.

1 Like

Hey Gilbert ,

Yes , we have SonarQube on prem . I will check that . Thanks .

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.