Any plans to support generation of SBOM from SonarQube Scans to establish the code dependencies and shifting left, a bonus would be the integration with JFrog Xray and JFrog Advanced Security for correlating security and license violations in source code.
Hi,
Same answer as during the webinar 
:
I’m not currently aware of any plans.
HTH,
Ann
Hoping this feature can be considered for a future product release.
Hello,
This is a feature we have prioritized recently. It’s so fresh that I did not have time to inform @ganncamp about it internally.
I don’t have a precise timeline to communicate as of now.
Alex
1 Like
Hello @John.Morales
Can you share what you do or will do with your SBOM files once generated from Sonar?
Is it to share with an external entity or to load the content in software such as https://dependencytrack.org/?
What would be the benefit of having Sonar generate the SBOM as opposed to dedicated tools for your respective build framework? For example there are official plugins from CycloneDX for plenty of different build tools, such as Gradle, Maven, NPM, Yarn, NuGet, Python, Rust, Go, Ruby, PHP, etc. And a CLI tool, in case you need to merge SBOMs from different projects.
At that point I would question whether SonarQube is spreading their responsibilities too thin if they want to tackle the whole SBOM thing on top of the code quality measures.
Hello Alexandre, the idea is to shift left and scan the static code to identify the code dependency as we are scanning the code with SonarQube. We can load the SBOM to our Engineering Excellence Datalake DB for reporting, feed a solution like dependencytrack.org for security vulnerabilities, reporting and metrics. All of the data can be correlated and mapping the code associated SBOM to our product hierarchy for our global product engineering organization. We can analyze the data for commonalities, breach of our architecture standards for use of OSS packages and versions.
Hello CrushaKRool, the idea of leveraging SonarQube is that the solution is already scanning the static code and why not detect dependencies and have an option to generate a SBOM. If we can integrate CycloneDX with SonarQube then this would be awesome. Less additional code scanning.