Known C# vulnerabilities not detected by SonarQube

danb.sn · December 2, 2024, 4:16pm

My dotNetCore c# project include nugget package dependency BouncyCastle.Cryptography ver. 2.1.1
According to Visual Studio it is vulnerable and has 3 known issues.
Sonar did not detect them

ganncamp · December 3, 2024, 4:28pm

Hi,

Are the vulnerabilities in your code or in the dependency? We don’t do SCA.

Ann

danb.sn · December 4, 2024, 9:04am

Thanks for your answer.
Where can I find details of how SonarQube Server verify that the code is secured ?

ganncamp · December 4, 2024, 1:44pm

Hi,

With static analysis, including - in paid offerings - taint analysis. This blog may help.

Ann

system · January 23, 2025, 6:36am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

Colin · March 18, 2025, 2:42pm

Hello from the future!

We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.

Please see this announcement for more details.

Topic		Replies	Views
CVE-2018-8292 alert in Github but not from SonarQube Scan SonarQube Server / Community Build github , dotnet , security	6	707	March 18, 2025
SonarQube opensource vulnerability detection SonarQube Server / Community Build	4	10383	March 18, 2025
Known vulnerable files scanning? SonarQube Cloud	5	1068	March 18, 2025
Does SonarQube audit NPM packages for vulnerabilities? SonarQube Server / Community Build sonarqube	3	945	March 18, 2025
Does SonarCloud detect OWASP vulnerabilities in transitive dependencies in a Java project SonarQube Cloud java	3	193	March 18, 2025

Known C# vulnerabilities not detected by SonarQube

Related topics