I lost some vulnerability issues between two scans: due to the download only required analyzers?

Alexandre, how required plugins are determined today by SonarCloud?

I have a project scanned late September, and I have re-scanned it today. Result - less vulnerabilities are reported. Same files in the project, same rules in the quality profile, but valid vulnerabilities are closed as fixed.

I compared SonarScanner context of scan from late September and today - 2 following plugins are not in the list:

  • Vulnerability Analysis (security)
  • Vulnerability Rules for JS (securityjsfrontend)

To me it looks like a regression.

Project that I’m scanning is juice shop GitHub - juice-shop/juice-shop: OWASP Juice Shop: Probably the most modern and sophisticated insecure web application


In order to confirm if you are facing a regression, can you run the scan with this extra parameter:



Hi Alexandre

Thank you for the suggestion. With this option, plugins are back in scanner context, and issues detected in September are also back.