I’m new to Sonarqube and I’m making a POC using the community edition (9.5).
So far I can’t find a way to tell Sonarqube to parse PHP compositing files.
I’d like to be able to check if I’m using any vulnerable version (known) of some library.
Any tips on this?
Hello,
What you are looking for is called SCA (Software Composition Analysis) and SonarQube CE or greater doesn’t provide such a feature. We do SAST and detect vulnerabilities in your PHP code.
The recommended version if you care about code security is at minimum SonarQube Developer Edition.
Alex
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
Hello from the future!
We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.
Please see this announcement for more details.