I would have a little bit of questions on how Sonarqube works but just focusing on vulnerabilities computation. I used Sonarqube to analyze some projects but i dind’t find anywhere a complete technical guide, because i basically need specific and technical informations.
First of all i didn’t understand how the “security category”(OWASP, SANS, CWE, …) are correlated among them and how sonaqube uses these ones.
Then i saw the outcomes “Remediation Effort” ,“Ratings” and “severity” and thanks the official documentation i made an idea how these are computed on, but i would like to know if are used particular metrics to obtain the results displayed on the interface.
Finally i would like to know if Sonarqube uses an external Database to measure the security level of the code.
Thanks in advance