Should Sonar Cloud detect Java CVEs?

Hi all,
Should Sonar cloud detect known CVE vulnerabilities in a Java application?
E.g. CVE-2022-22965
We have a paid plan, but we are not seeing CVEs detected which JFrog is detecting.
Regards,
Chris.

Hi Chris,

Welcome to the community!

SonarCloud does static analysis of your source code. Presumably these CVEs are in your dependencies? That’s SCA, software composition analysis, and not in our wheelhouse.

 
HTH,
Ann