Alexandre, how required plugins are determined today by SonarCloud?
I have a project scanned late September, and I have re-scanned it today. Result - less vulnerabilities are reported. Same files in the project, same rules in the quality profile, but valid vulnerabilities are closed as fixed.
I compared SonarScanner context of scan from late September and today - 2 following plugins are not in the list:
- Vulnerability Analysis 10.2.0.22608 (security)
- Vulnerability Rules for JS 10.2.0.22608 (securityjsfrontend)
To me it looks like a regression.
Project that I’m scanning is juice shop GitHub - juice-shop/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web application