NO Golang Vulnerabilities rules in SonarQube

Hello everyone,
first of all I think it’s useful to notify that I’ve read this thread:

nevertheless I think maybe now it’s time to add some vulnerabilities rules related to Go.
It’s true that one can import external scanner results, it’s true that one can define custom rules, but I hope that a best of breed solution such as SonarQube could have its own Go vulnerabilities coverage.
All the best,
LC

Hello,

I can only agree with you and tell that this is a feature that we are considering for 2022.

Alex

Hello,
did the project to include SAST GoLang coverage in SonarQube have any evolutions?
Best

Hi all,
there are several posts regarding this issue, but I see no news about it so far, so I create a new post.
I think maybe now it’s time to add some vulnerabilities rules related to Go.
It’s true that one can import external scanner results, it’s true that one can define custom rules, but I hope that a best of breed solution such as SonarQube could have its own Go vulnerabilities coverage.
All the best,
LC

Hey there.

This is something we’re already listing as under consideration on our roadmap. It would be great for you to add your voice there: https://portal.productboard.com/sonarsource/3-sonarqube/c/215-sast-for-go

Hi Colin,
I’ve already added my voice there, probably twice (by mistake), I am one of the 13 who expressed interest in the feature, unfortunately I see no progress and didn’t get any update.
Best,
LC

There is a command line tool, govulncheck, available as part of the Go toolset. This seems like an ideal mechanism for reporting vulnerabilities to Sonar, perhaps in a similar way to how test reports and the lint reports are processed by Sonar. More info on this is available here: govulncheck command - golang.org/x/vuln/cmd/govulncheck - Go Packages