Looking to scan for vulnerabilities in direct/transitive dependencies from nuget and npm, possible?

peter-row-dwe · May 12, 2025, 8:17am

I used the contact us page on the Sonar website with customer service selected as the category and was directed here. This doesn’t feel like the right place given the new topic template but here goes.

I am investigating options to replace dependabot in our github repositories to something that supports scanning transitive dependencies as well as direct ones for vulnerabilities in packages from nuget and npm. We are using TeamCity and Octopus for CI/CD, github is just the SCM.

The solution to the above should also be able to raise alerts as well as generate reports of issues found (or not as the case may be).

I’ve read through multiple pages on the Sonar site and can’t find a clear answer as to whether that is something SonarQube can do and whether that it is something that can be used and purchased separately without all the IDE/code analysis stuff. The closest thing I could find was at Announcing SonarQube Advanced Security which seems like the answer is yes, but it’s not released until end of this month.

It would be great if someone could help to clarify things and provide some links to some official pages that support this and clear things up.

Thanks

ganncamp · May 13, 2025, 3:02pm

Hi,

Welcome to the community!

We’ve got SCA in EA (early access) right now. GA is anticipated with the 2025.3 release at the end of this month.

To be clear, SonarQube for IDE is free, so there’s no purchase there.

But our SCA offering runs during “the… analysis stuff”, so it’s not something you can do separately. In fact, it will be part of the Advanced Security add-on available for Enterprise Edition($$).

And during this initial release, SCA results will only be updated as part of analysis, but I believe the plans are for that to change in the future.

Yes, exactly.

Since this hasn’t been released, there aren’t any official pages yet, but they’ll come soon.

HTH,
Ann

peter-row-dwe · May 13, 2025, 3:23pm

Thanks for getting back to me. Will await the official release to see further docs.

When I say “analysis stuff” I mean all the clean code, security checking of code as you implement it. Literally all we are looking for right now is the nuget and npm package direct/indirect vulnerability checking and that’s it. That part is isolated, or at least partial, in other solutions hence the way I phrased it, sorry if that wasn’t clear.

Topic		Replies	Views
Does SonarQube audit NPM packages for vulnerabilities? SonarQube Server / Community Build sonarqube	3	948	March 18, 2025
CVE-2018-8292 alert in Github but not from SonarQube Scan SonarQube Server / Community Build github , dotnet , security	6	707	March 18, 2025
SonarQube scan for python libraries SonarQube Server / Community Build sonarqube , python	5	1320	March 18, 2025
Does SonarCloud detect OWASP vulnerabilities in transitive dependencies in a Java project SonarQube Cloud java	3	194	March 18, 2025
SonarQube opensource vulnerability detection SonarQube Server / Community Build	4	10387	March 18, 2025

Looking to scan for vulnerabilities in direct/transitive dependencies from nuget and npm, possible?

Related topics