Not any vulnerabilities with Sonar Cloud in Go, but a few with

Sonar Cloud not found any vulnerabilites, but the same Go code scanned with found 6 vulnerabilities, here some cves:

Do I have a false expectation of Sonar Cloud In terms of vulnerabilitiy scans?


Welcome to the community!

It’s a bit apples-and-oranges. Snyk is one of several tools that provide dependency scanning. I.e., are you using another component/library with known vulnerabilities - and it looks like that’s what those reports are: problems in dependencies. SonarCloud provides code analysis. I.e., are there security problems with the way you’ve written your own code?

So no, I wouldn’t expect the same thing from both tools.