Posted https://community.sonarsource.com/t/support-in-sonarcloud-for-sca-tools/62995 before I found this thread.
Similar but want to track outdated dependencies and open source license compliance as well since it exist as plugin for standalone version.
Best regards
+1 for this feature, we have been using OWASP Dependency Checker for a while and offload the reports to our SonarQube IAAS solution so both the DEV and SEC team have 1 dashboard. While looking at Sonarcloud this is 1 of the 2 features we require before migrating to the SAAS offering.
My company would love to see this too and it seems like the only option is to use OWASP. We can do a dependency check in other ways but none of them are as clean as having all of our security-category scans in one area.
Google has recently released OSV.DEV, a distributed vulnerability database for OSS providing REST API & CLI capabilities to be compatible with any system.
It could be great if SonarSource team could consider adding a native SonarCloud & SonarQube support on Vulnerability check based on OSV.DEV as a reporting tool for security on OOS dependencies. It could also be great if we could have Quality Gates based on CVE score on all CI/CD processes.
Google Online Security Blog: Launching OSV - Better vulnerability triage for open source (googleblog.com)
Google Online Security Blog: Announcing a unified vulnerability schema for open source (googleblog.com)
Automating and Scaling Vex Generation
Renovate adds OSV database check