SonarQube opensource vulnerability detection

This was in reference to the identification of open source vulnerabilities and use of vulnerable versions of libraries.

Until now, we have been manually performing this check by reviewing the software build configuration from Maven, Gradle dependencies.

However, we have over 200 repositories and this process can be cumbersome to maintain on an ongoing basis.

Since, we are using SonarQube for analyzing our source code, wanted to reach out and check if SonarQube has any features in the area of assessing the vulnerabilities against the open-source dependencies?

Hello,

SonarQube has no feature on the Software Composition Analysis (SCA) domain. We decided to concentrate on our Static Application Security Testing SAST feature for the moment.

You should look at what our friends of Snyk or WhiteSource are doing and check the recent webinar we did together on the topic: https://info.snyk.io/demystifying-devsecops

Regards
Alex

Hi,

you might use the free Dependency Check Sonar Plugin, also see https://www.owasp.org/index.php/OWASP_Dependency_Check
Otherwise if you’re using an artefact manager in your build pipelines, they have
specific addons for your use case:

• Jfrog => Xray
• Sonatype Nexus => Nexus Lifecycle (formerly called Nexus IQ)

Both do also license checks.

Gilbert

Since this discussion is now more than four years old, are there any updates on that.
SCA would be a great option to complement to the Sonar Security strategy.

Hello from the future!

We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.

Please see this announcement for more details.