Does SonarQube's Deeper SAST includes SCA?

contrasec · August 10, 2023, 10:22pm

Does SonarQube’s Deeper SAST includes SCA?

ganncamp · August 11, 2023, 4:47pm

Hi,

We still don’t do SCA. That is, we’re not going to flag the libraries of open source projects for you. Instead, what we have done is analyze those libraries so that when you use them, our SAST analysis is more accurate.

HTH,
Ann

dbrin · September 14, 2023, 11:51pm

Is there are a feature request for SCA yet or is it being planned for a future roadmap already? SCA or SBOM analysis is a must these days.

anon67236913 · September 15, 2023, 6:47am

If you don’t use specialized tools like Sonatype NexusIQ, you might try this community plugin

and there’s another community plugin for the license check

Colin · March 18, 2025, 2:25pm

Hello from the future!

We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.

Please see this announcement for more details.

Topic		Replies	Views
Is there dependency check in sonarcloud? SonarQube Cloud sonarqube-cloud	3	280	March 18, 2025
Software compositin analysis in SonarCloud/SonarQube SonarQube Cloud sast	2	1513	March 18, 2025
SonarQube opensource vulnerability detection SonarQube Server / Community Build	4	10426	March 18, 2025
Does SonarCloud support SCA? SonarQube Cloud	3	1499	March 18, 2025
Can SonarQube scan GNU licensed libs etc? SonarQube Server / Community Build sonarqube	2	201	March 18, 2025

Does SonarQube's Deeper SAST includes SCA?

Related topics