Sonar developtment vs sonar cloud free version

Hi team.

We have the SonarQube Development version as part of the security toolkit. We wanted to test the sonar effectiveness, then we performed a set of tests over OWASP Benchmark (it’s just a java project with different vulnerabilities (link)). The problem is that we got better results with the free version of sonar cloud.

Test data

• SonarCloud free version (Sonar way quality profile)
• SonarQube Developer Edition Version 8.5.1r (Sonar way and sonar way security quality profiles)

In all cases, Sonar way was used as quality gate.

Success: It is a True positive. It happens when a file has a vulnerability, and sonarQube was able to detect this vulnerability.

Results with the configuration of your quality profile

• Sonarcloud achieved a 40.28% of success

• Sonar development with sonar way quality profile achieved a 15.9% of success

• Sonar development with sonar way security quality profile achieved a 10 % of success

We would like to know if there is an alternative to improve sonar performance in detecting these vulnerabilities. I think it is a configuration issue but I would like to get some ideas.


Welcome to the community!

It’s not clear to me why you would test with 8.5.1. It’s past EOL. Please try again with 9.1. Its analysis should be nearly* comparable with SonarCloud.


*SonarCloud is updated more frequently than SonarQube is released, so it is naturally ahead of SonarQube at least some of the time.

Hi @ganncamp
The reason is because this is the license that we bought and have installed, and I think that to upgrade to version 9.1 is necessary to buy another license


Licenses are to editions, not versions. If your license is current you can use it on any version without requiring a new license.