PL/SQL Scan Shows Hotspots But No Security Issues or Code Coverage

I’m using SonarQube Developer Edition with a trial key to scan a PL/SQL project. Here’s what I’m seeing:

• Code is being scanned — issues like code smells and hotspots are appearing.

• Security Hotspots show up, but no Security Issues appear under the “Issues” tab.

• Code coverage is stuck at 0%, even though I’m using utPLSQL and utPLSQL-cli with the SonarQube-compatible coverage reporter.

What I’ve done:

• Used utPLSQL-cli with ut_coverage_sonar_reporter to generate a coverage.xml file.

• Set sonar.coverageReportPaths=coverage.xml in sonar-project.properties.

• Confirmed that the file exists and the scan runs without errors — but still 0% coverage shows in SonarQube.

What I’d like clarity on:

1. Does SonarQube Developer Edition support Security Issues for PL/SQL, or only Hotspots?

2. What conditions or rules trigger Security Issues in PL/SQL?

3. Is PL/SQL code coverage fully supported in Developer Edition using utPLSQL?

4. Is there a way to confirm whether the coverage.xml is being read and processed correctly?

Thanks for the support.

Hey there.

Checking rules.sonarsource.com, there are 4 vulnerability rules for PL/SQL. Is your code designed to trigger any of them?

SonarQube will support any coverage tool if the final report is formatted as generic coverage data. Refer to the following guide for troubleshooting (specifically, where to find the logs):