Support for scanning OSS

Does Sonar has the capability to scan code and find out if we are using any open source software and if so what is the license? Similar to what Blackduck / FOSSA does? Any third party integrations/plugins possible?

Hi,

Welcome to the community!

That’s Software Composition Analysis (SCA). We do Static Application Security Testing (SAST), which is an examination of the code to find vulnerabilities.

 
HTH,
Ann

Finding Vulnerabilities is one thing, what I need is if Sonar can scan our code and find all Open Source Software and their licenses ?

Few of the products which does the same are FOSSA and Blackduck.

Hi,

We don’t do SCA.

 
HTH,
Ann

Hello from the future!

We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.

Please see this announcement for more details.