We would like to know if there is a way we can get a list of code dependencies / libraries in Sonarcloud. This is to create a Software bill of materials (SBOM)
Hey there.
SonarCloud will not generate this for the code that you’re scanning, and we do not offer an SBOM For the dependencies/libraries used in SonarCloud itself. You can find SonarCloud’s Security Statement here.
Would it be possible for SonarQube to ingest the BOM from GitHub?
We have a number of applications that there is no longer a budget to maintain which means that they are not, currently, being scanned. We also have apps which have not been modified in weeks/months/years.
In these cases, a comparison of the BOM with lists of known vulnerabilities would allow us to check legacy apps against current vulnerability knowledge lists.
SonarQube does not natively perform SCA (Software Component Analysis). You might find some luck with GitHub - dependency-check/dependency-check-sonar-plugin: Integrates Dependency-Check reports into SonarQube