Should Sonar Cloud detect Java CVEs?

chrisphale · December 6, 2023, 3:27pm

Hi all,
Should Sonar cloud detect known CVE vulnerabilities in a Java application?
E.g. CVE-2022-22965
We have a paid plan, but we are not seeing CVEs detected which JFrog is detecting.
Regards,
Chris.

ganncamp · December 8, 2023, 4:20pm

Hi Chris,

Welcome to the community!

SonarCloud does static analysis of your source code. Presumably these CVEs are in your dependencies? That’s SCA, software composition analysis, and not in our wheelhouse.

HTH,
Ann

Colin · March 18, 2025, 2:27pm

Hello from the future!

We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.

Please see this announcement for more details.

Topic		Replies	Views
Does SonarCloud detect OWASP vulnerabilities in transitive dependencies in a Java project SonarQube Cloud java	3	193	March 18, 2025
Not seeing any CVE vulnerabilities? SonarQube Server / Community Build java , sonarqube , scanner	3	5060	March 18, 2025
Support in Sonarcloud for SCA tools Product Manager for a Day sonarqube-cloud	1	1295	March 18, 2025
Known vulnerable files scanning? SonarQube Cloud	5	1068	March 18, 2025
SonarCloud and scanning for the Log4J vulnerability SonarQube Cloud	3	1241	March 18, 2025

Should Sonar Cloud detect Java CVEs?

Related topics