Hi all
Can you please advise whether SonarCloud scan can identify the use of Log4J in the repository?
If we add a repo in SonarCloud, will we get an alert on the use of the Log4J library and whether it’s vulnerable?
Best
Bozidar
Hey there.
SonorCloud is really focused on SAST (Static Application Security Testing) rather than SCA (Software Component Analysis). SonarCloud can’t be configured to raise issues if log4j is found.
1 Like
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
Hello from the future!
We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.
Please see this announcement for more details.