Support Dependency Checks for Known Vulnerabilities

It would be an excellent feature (though I’m sure a big development effort) if sonarcloud could support dependency analysis for known version vulnerabilities. I know some other SaaS services like github have also started getting into this arena, but we would love this feature. It would take the place of the old OWASP Dependency Check plugin.


Hi Rick! Indeed, I agree with you, and this is something we started looking at. I just can’t give you more details about this just now. :slight_smile:

@Fabrice_Bellingard Are there any updates on this feature request?

1 Like

No progress on this topic for now. And to be transparent: chances are that we finally won’t be able to do something on that topic this year.

1 Like

Thanks for the heads up!

I also would appreciate this feature to upload the owasp dependency check report to sonarcloud! :slight_smile:


Is there an update on this? seems that the security checking is a little weak in sonar cloud.



On behalf of SonarSource, I can confirm we won’t provide a SCA feature for 2020 on SonarCloud. We would like to concentrate on SAST and on that field I tend to disagree when you are saying “security checking is a little weak”. We provide a good set of security rules (vulnerability or security hotspot) for Java, C#, PHP and Python. JS/TS and C/C++ are in the roadmap for 2020 along with improvements on the frameworks coverage and overall user experience (dedicated space to manage your Security Hotspots).


Hey guys,

While it’s nice that we want a focused approach on features that are not related to dependency analysis, it’s it’s worth to mention that dependency scanner is something that can easily be set up on on-premise normal sonar distributions, which makes Sonar Cloud not competitive in that area, compared to a free solution, which is hardly ideal.

I come from a rather regulated industry which means for us that sonar cloud is a no-no until it supports basic sonar features like owasp plugin or dependency check plugin.

I don’t think I am alone in the expectation.

Kind regards.



I would also like to see this feature included in SonarCloud, especially if we are using the paid versions of the Sonar Cloud it should be made available.


Seems like a massive omission to me…

The crowd is booing but will they hear?

1 Like

@Alexandre_Gigleux @Fabrice_Bellingard Any update on whether a reader for OWASP Dependency Check reports will make it onto the roadmap for 2021?

1 Like

Is this on the Roadmap for Q4 2021 or anytime in future?

1 Like

The SCA topic is coming back by time to time at SonarSource. As of now (Sept 2021), there is no plan to provide such feature in SonarCloud for Q4-2021. If we do something on that field one day, we would like to raise a vulnerability only when:

  • a dependency is having a known vulnerability
  • and your code is really using the vulnerable method of the dependency - your code is really at risk

An indication if our code is likely to be exposed to the dependency vulnerability would be great, but I’d still want it flagged even if it didn’t appear to be. Our code could change in the future and make use of the vulnerable dependency codepaths. Obviously that would then get flagged at that point, but if it was flagged earlier we could address it proactively.

1 Like

Hi Alexandre,

Is this already available? SonarCloud Website says: YES


“SonarCloud detects OWASP Top 10 and SANS Top 25 Vulnerabilities, and many others.”

This means for me, SonarCloud is also covering “A06-2021: Vulnerable and Outdated Components” (A06 Vulnerable and Outdated Components - OWASP Top 10:2021)


SonarQube and SonarCloud don’t provide any SCA feature out of the box. Some SQ users rely on the OWASP Dependency Check Plugin but this is not supported by us.

We are saying we cover OWASP Top 10 2017 - A09 because at that time, the A09 category was very vague with no explicit CWEs mapped. Today we raise issues for OWASP 2017-09 or OWASP 2021-A09 when you are using functions of the SDKs that contain known vulnerabilities so nothing related to external dependencies.


You may want to make this more clear on your website. Based on Shurlinga’s comment, when I read “SonarCloud detects OWASP Top 10 and SANS Top 25 Vulnerabilities, and many others.” you assume it is the current version owasp list, not the 2017 list. Where do you specify you are using the 2017 list on your site? When are you planning supporting the 2021 list? We are happy sonarcloud users but I think you should reconsider the dependency checking. Especially since the plugin is available for the hosted version.


I would like to also express the desire to have this functionality added to Sonarcloud as well. The company I work for is currently in a 14 day trial of Sonarcloud and it is disappointing that this functionality is not available.

I’m interested in dependency checks as well.

I think it’s rather sad that a company like Sonarsource which core business is security doesn’t support natively such features, not even in paid versions of SonarQube. While, on the other hand, companies like JFrog or Sonatype which core business is repository & storage, do provide such features of vulnerability checks for dependencies.

I’m about to try integrating OWASP dependency-check project into SQ because I do have self-hosted instance, but I still do think this feature will become a deal-breaker soon for many users.


1 Like