Not any vulnerabilities with Sonar Cloud in Go, but a few with snyk.io

Sonar Cloud not found any vulnerabilites, but the same Go code scanned with snyk.io found 6 vulnerabilities, here some cves:

Do I have a false expectation of Sonar Cloud In terms of vulnerabilitiy scans?

Hi,

Welcome to the community!

It’s a bit apples-and-oranges. Snyk is one of several tools that provide dependency scanning. I.e., are you using another component/library with known vulnerabilities - and it looks like that’s what those reports are: problems in dependencies. SonarCloud provides code analysis. I.e., are there security problems with the way you’ve written your own code?

So no, I wouldn’t expect the same thing from both tools.

 
HTH,
Ann