SonarQube opensource vulnerability detection

This was in reference to the identification of open source vulnerabilities and use of vulnerable versions of libraries.

Until now, we have been manually performing this check by reviewing the software build configuration from Maven, Gradle dependencies.

However, we have over 200 repositories and this process can be cumbersome to maintain on an ongoing basis.

Since, we are using SonarQube for analyzing our source code, wanted to reach out and check if SonarQube has any features in the area of assessing the vulnerabilities against the open-source dependencies?

Hello,

SonarQube has no feature on the Software Composition Analysis (SCA) domain. We decided to concentrate on our Static Application Security Testing SAST feature for the moment.

You should look at what our friends of Snyk or WhiteSource are doing and check the recent webinar we did together on the topic: https://info.snyk.io/demystifying-devsecops

Regards
Alex

Hi,

you might use the free Dependency Check Sonar Plugin, also see https://www.owasp.org/index.php/OWASP_Dependency_Check
Otherwise if you’re using an artefact manager in your build pipelines, they have
specific addons for your use case:

Both do also license checks.

Gilbert