I’m new to Sonarqube and I’m making a POC using the community edition (9.5).
So far I can’t find a way to tell Sonarqube to parse PHP compositing files.
I’d like to be able to check if I’m using any vulnerable version (known) of some library.
Any tips on this?
What you are looking for is called SCA (Software Composition Analysis) and SonarQube CE or greater doesn’t provide such a feature. We do SAST and detect vulnerabilities in your PHP code.
The recommended version if you care about code security is at minimum SonarQube Developer Edition.