Hello Xavier
and welcome to SonarSource community forum!
Just to make certain, are you describing a case where SonarQube is wrongly reporting a vulnerability on a third party library on a project you scanned?
If the case, it is worth mentioning that SonarSource does not do any SCA (Software Composition Analysis), there are 3rd party plugins for the aggregation in SonarQube of the results of SCA tools though.
Do you have such plugin installed with your SonarQube?
You may want to report the false positive to the editor of the SCA analyzer tool then.
Best.
Sylvain