Identification of CVEs and old versions of thirdparty libraries with Sonarqube

Hi. We have a codebase that is largely used to build graphics drivers as embedded software. We predominately use C++. I’m wondering if Sonarqube can be used to inform us as to whether we have identified CVEs in thirdparty libraries (opensource) as we as whether we have the latest version of a thirdparty library for those libraries that we build from source.


Welcome to the community!

SonarQube analysis works on the code of the current project. To understand what issues might exist in libraries, you’d need to analyze those libraries’ code bases.


Hi Ann,
I’m afraid that not really what I was looking for or perhaps the detail is missing. I think you described how to scan source code in a third party library. My question is whether I can build a solution around SonarQube that covers off some or all of the following requirements:

  • Identifies thirdparty libraries
  • Identifies whether a thirdparty library is at the current version
  • Identifies whether a thirdparty library has a vulnerability as recorded in a vunerability database
  • Identifies whether a thirdparty library in our source has an opensource licence agreement that we are happy with.

Many thanks,


Hi Mike,

There are plugins available for some of those things, but you’re probably not going to be able to have all the pieces you’re after. (Maybe someone from the community will step in and tell us I’m wrong…) What I described is what you can do with SonarQube out of the box.