SonarQube does not use a vulnerability database, but does static analysis to detect vulnerabilities in your code. As a user of CE, what you can do is make sure your analzyers are up to date (Administration > Marketplace). Note that taint analysis (the ability to find some more sophisticated vulnerabilities) is available to users of Developer Edition($) and above.
Thanks for your knowlege sharing. so I checked out Marketplace and it gave us what we wants. so because our sonarqube resides in a private subnet without internet access, do you know how to manually download those updates to a repo that our internal sonarqube can have access to?