No vulnerabilities reported

Hi, we have hundreds of repositories that we provisioned through the API.

Unfortunately, no vulnerabilities (as explained here Upcoming features and improvements) are showing up because we didn’t import the repositories from the UI.

How can we make Sonarcloud projects bounded to repositories (afterward) so that we see vulnerabilities showing up in Sonarcloud?

Regards

Hey there.

Can you clarify if you mean:

  • No vulnerabilities are being reported in the analysis results you see on Sonarcloud.io? This should happen regardless of whether or not your project was imported via the UI.

  • If they are appearing in SonarCloud, but not being decorated elsewhere (this is the PR decoration you’re referring to that won’t happen “because we didn’t import the repositories from the UI.”

I mean: No vulnerabilities are being reported in the analysis results

Okay. What language(s) are you analyzing? What vulnerabilities do you expect to appear?

The language used is node and I would expect to see same vulnerability reports as dependabot is giving on github.
Is there anything I wan check to assess dependency vulnerabilities are showing up on Sonarcloud?

Dependabot is looking specifically at software components (SCA), which is not a domain that Sonar covers.

Here you can find the vulnerabilities that Sonar raises on Javascript code.

Ok, any plan to support it?

It’s not on our roadmap.