Hi, we have hundreds of repositories that we provisioned through the API.
Unfortunately, no vulnerabilities (as explained here Upcoming features and improvements) are showing up because we didn’t import the repositories from the UI.
How can we make Sonarcloud projects bounded to repositories (afterward) so that we see vulnerabilities showing up in Sonarcloud?
Can you clarify if you mean:
No vulnerabilities are being reported in the analysis results you see on Sonarcloud.io? This should happen regardless of whether or not your project was imported via the UI.
If they are appearing in SonarCloud, but not being decorated elsewhere (this is the PR decoration you’re referring to that won’t happen “because we didn’t import the repositories from the UI.”
I mean: No vulnerabilities are being reported in the analysis results
Okay. What language(s) are you analyzing? What vulnerabilities do you expect to appear?
The language used is node and I would expect to see same vulnerability reports as dependabot is giving on github.
Is there anything I wan check to assess dependency vulnerabilities are showing up on Sonarcloud?
Dependabot is looking specifically at software components (SCA), which is not a domain that Sonar covers.
Ok, any plan to support it?