Not seeing any CVE vulnerabilities?

Hi! I am using Sonarqube community edition version 7.9.2 and I don’t see any CVE in the Security → Vulnerabilities section of my scans even though I am fairly sure I’m using vulnerable libraries (our project has some pretty old ones).

I tried downloading the Dependency-check plugin but that didn’t do the trick. Is it a version/edition issue?
Do I have to execute something more than just a “sonar-scanner”?

Thanks in advance!

Hi @simcharb

Welcome to this forum!

SAST rules are mostly available in commercial editions, starting with the Developer Edition.
And you are running an EOL version with 7.9.
The first step I would recommend is to upgrade to 8.9 LTS or 9.4 latest release to be on a supported version of SonarQube.

Then, you can also check the rules of SonarQube here (rules available in the 9.4 version), and at the bottom of each of them, you’ll see either SonarQube Community or SonarQube Developer Edition logo, depending on the edition the rule is available in.

If your idea is to do SCA (Software Composition Analysis), then SonarQube will not help as we provide SAST rules, not SCA. You can definitely use Dependency-Check plugin, which is a community plugin, not supported by Sonar directly.

Carine

1 Like

Hi Carine,

Thanks for your reply. I updated my Sonarqube version to the following version: * Community Edition

  • Version 9.2.4 (build 50792)

However, I still don’t see any CVEs. Could you confirm that there is no way to get the CVE analysis with the community edition?

Thanks a lot and have a nice day!