Support in Sonarcloud for SCA tools

Hi,

Posted a few years back about https://community.sonarsource.com/t/interesting-suite-of-plugins-for-componet-analysis-java/13291 .

One problem with moving to Sonarcloud is that use cases related to SCA is not covered. but is supported in standalone by plugins.

Many people do need to track vulnerabilities, outdated dependencies and open source license compliance.

Best regards

Hello from the future!

We recently announced SonarQube Advanced Security, which will include SCA capabilities. While it’s not available yet, we expect general availability for SonarQube Server in May 2025, and SonarQube Cloud Enterprise shortly after.

Please see this announcement for more details.

1 Like

Still miss

Outdated Components : GitHub - reallyinsane/mathan-dependency-updates-sonar-plugin: Integrates dependency-updates-report into SonarQube

Created dashboards for all repos for a company I worked for 5 years ago.

Provided

Metrics

The plugin keeps track of the following statistics:

Metric Description
Dependencies to patch The number of dependencies with patches available (incremental updates).
Dependencies to patch (Ratio) The ratio of dependencies to patch.
Dependencies to upgrade The number of dependencies with upgrades available (minor and/or major updates).
Dependencies to upgrade (Ratio) The ratio of dependencies to upgrade.
Dependencies Total The total number of dependencies.
Patch maintenance The rating of the patch maintenance (see below)
Patches missed The total number of patches missed.
Upgrade maintenance The rating of the upgrade maintenance (see below)
Upgrades missed The total number of upgrades missed.

Please note that when computing measures on directory/module/project level measures for identical dependencies will be included only once. E.g. if a project contains two sub models having same dependency, this is included in the measure for each sub module. For the project the measure will not include the dependency multiple times (for each sub module) but only once.

Maintenance rating

The maintenance rating is based on the ratio of dependencies with patches/upgrades and the total number of dependencies. The ratios of <=5%, <=10%, <=20%, <=50% and >50% are the guidelines to define the rating. There are slightly adoptions for projects with less than 50 dependencies.

This metric is not final. For now the rating is calculated the following way.

Ratings a b c d e
Ratio <=~5% <=~10% <=~20% <=~50% >50%
0 - 10 dependencies 0 1 2 3-5 >5
11 - 20 dependencies 0-1 2-3 4-5 6-10 >10
21 - 50 dependencies 0-2 3-5 6-10 11-25 >25
50 - dependencies 0-5 6-10 11-20 21-50 >50

Best regards