Posted https://community.sonarsource.com/t/support-in-sonarcloud-for-sca-tools/62995 before I found this thread.
Similar but want to track outdated dependencies and open source license compliance as well since it exist as plugin for standalone version.
Best regards
+1 for this feature, we have been using OWASP Dependency Checker for a while and offload the reports to our SonarQube IAAS solution so both the DEV and SEC team have 1 dashboard. While looking at Sonarcloud this is 1 of the 2 features we require before migrating to the SAAS offering.
My company would love to see this too and it seems like the only option is to use OWASP. We can do a dependency check in other ways but none of them are as clean as having all of our security-category scans in one area.
Google has recently released OSV.DEV, a distributed vulnerability database for OSS providing REST API & CLI capabilities to be compatible with any system.
It could be great if SonarSource team could consider adding a native SonarCloud & SonarQube support on Vulnerability check based on OSV.DEV as a reporting tool for security on OOS dependencies. It could also be great if we could have Quality Gates based on CVE score on all CI/CD processes.
Google Online Security Blog: Launching OSV - Better vulnerability triage for open source (googleblog.com)
Google Online Security Blog: Announcing a unified vulnerability schema for open source (googleblog.com)
Automating and Scaling Vex Generation
Renovate adds OSV database check
Hello from the future!
We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.
Please see this announcement for more details.
From what I understand, SonarQube Advanced Security is only available for SonarQube Server and not SonarQube Cloud. Is this correct?
We plan to launch this on SonarQube Cloud this Fall (September, is what I hear!)