How does SonarQube handle zero days?

Hello guys,

I was wondering how the Enterprise level of SonarQube handles zero days?

Hey there.

Can you clarify what you’re referring to? Vulnerabilities in SonarQube (the application) itself? The issues that can be detected by SonarQube?

My apologies I was referring to the issues that can be detected by SonarQube. For example, if there is a new 0 day vulnerability found, does SonarQube inform Enterprise users that a new vulnerability is found. Or will it only be detected when a scan is run?

A zero-day vulnerability typically refers to a vulnerability in other computer software (such as the dependencies of your project). Since SonarQube is not a SCA (Software Component Analysis) tool, and focuses on the code your developers are writing, SonarQube doesn’t play a role in detecting 0-day vulnerabilities.

And, SonarQube can detect things such as code likely to result in buffer overflows, which are often the target of zero-day vulnerabilities.

Thank you for the quick response

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.