Does SonarCloud detect OWASP vulnerabilities in transitive dependencies in a Java project?
ganncamp
December 11, 2023, 2:42pm
2
Hi,
We do static analysis of your source code. What you’re looking for is Software Composition Analysis (SCA).
system
December 18, 2023, 2:43pm
3
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
Colin
March 18, 2025, 2:27pm
4
Hello from the future!
We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.
Please see this announcement for more details.
Sonar is excited to announce SonarQube Advanced Security , extending SonarQube’s analysis capabilities beyond first-party and AI-generated code to include third-party open source code. With this, we’re delivering the first fully integrated solution for finding and fixing code quality and code security issues in the development phase of the SDLC.
The first step in integrating Sonar’s recent acquisition of Tidelift, SonarQube Advanced Security strengthens a robust set of existing security capabili…