SonarQube coverage of CISA KNOWN EXPLOITED VULNERABILITIES CATALOG

Version: SonarQube 8.9.6 LTS (on-prem)
Goal: Ensure scans Cover CVEs listed in CISA KNOWN EXPLOITED VULNERABILITIES CATALOG.

Does SonarQube tag or track the vulnerabilities listed in CISA’s catalog (Known Exploited Vulnerabilities Catalog | CISA)?

Is there a way to export the CVE’s currently incorporated into SonarQube for comparison against CISA’s catalog?

How frequently are the vulnerabilities updated and how are they made available?

Does Sonarqube have the capability to analyze dependencies?

Hey there.

CVEs like the ones you’ve linked to are known vulnerabilities declared on specific software components – SonarQube detects issues on the code that your developers are actually writing, not on dependencies. You can find out more about SonarQube’s security capabilities here.