Must-share information (formatted with Markdown):
- which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
- how is SonarQube deployed: zip, Docker, Helm
- what are you trying to achieve
- what have you tried so far to achieve this
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
We use SonarQube 10.5 Developer edition with the maven sonar scanner version as 3.9.1.2184.
We are trying to compare how effective sonar is w.r.t. identifying security issues compared to other tools like Snyk.
We recently upgraded from version 9.9 to 10.5 to check for the latest enhancements in detecting security issues but haven’t seen any major change. I have a few questions:
-
Is Sonar Deeper Sast the same as the default security hotspot detection in Sonarqube? I don’t see any option to enable deeper sast but this article kind of suggests that it is a different thing entirely.
-
Does upgrading to the Enterprise edition give better Security hotspots analysis? I only see reporting added as a feature. Other than that, does it change the analysis?
