Does SonarQube's Deeper SAST includes SCA?

Does SonarQube’s Deeper SAST includes SCA?


We still don’t do SCA. That is, we’re not going to flag the libraries of open source projects for you. Instead, what we have done is analyze those libraries so that when you use them, our SAST analysis is more accurate.


Is there are a feature request for SCA yet or is it being planned for a future roadmap already? SCA or SBOM analysis is a must these days.

If you don’t use specialized tools like Sonatype NexusIQ, you might try this community plugin

and there’s another community plugin for the license check

1 Like