Does SonarQube audit NPM packages for vulnerabilities?

anon35261157 · August 17, 2023, 12:13pm

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
SonarQube 9.9 LTS
how is SonarQube deployed: zip, Docker, Helm
App Service

Does SonarQube scan for the NPM package vulnerabilities or analysis of used dependencies? Could not find any relevant information. Maybe someone could assist on this? Thanks.

Colin · August 18, 2023, 9:52am

Hey there.

SonarQube does not flag specific dependencies like a typical SCA tool would.

system · August 25, 2023, 9:52am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Colin · March 18, 2025, 2:38pm

Hello from the future!

We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.

Please see this announcement for more details.

Topic		Replies	Views
SonarQube opensource vulnerability detection SonarQube Server / Community Build	4	10331	March 18, 2025
Does SonarQube's Deeper SAST includes SCA? SonarQube Server / Community Build	4	747	March 18, 2025
Known vulnerable files scanning? SonarQube Cloud	5	1051	March 18, 2025
Support for scanning OSS SonarQube Server / Community Build sonarqube , scanner	4	141	March 18, 2025
Is there dependency check in sonarcloud? SonarQube Cloud sonarqube-cloud	3	256	March 18, 2025

Does SonarQube audit NPM packages for vulnerabilities?

Related topics