Can anyone tell me if Sonar can find known vulnerable versions of well-known files like jQuery, or other frameworks?
I really don’t want to scan 100’s of K of “vendor” supplied source, but I also don’t want to lose any notifications of vulnerable components. What’s the solution here?
Hi Erik!
And welcome to the community!
SonarCloud do not offer Software Composition Analysis and focus on SAST only.
But you can definitely ignore all the vendor code when running your SonarCloud analysis and in parallel use a different tool specialized in SCA.
In my teams we use the owasp dependency check to scan for vulnerabilities and then upload the results with the sonarqube scan: https://github.com/dependency-check/dependency-check-sonar-plugin It will integrate into your sonarqube report as vulnerabilities.
I don’t think that works in sonarcloud though. I’ve read that plugins are not supported…
Indeed, this plugin is not available on SonarCloud.
Hello from the future!
We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.
Please see this announcement for more details.