Technical question about secuity

I would like to have additional informations about sonarqube working but focusing on vulnerabilities analysis.
In particular i don’t understand how sonarqube performs these analysis and if all the rules (of vulnerabilities) are on an external DB and are retrieved to perform the analysis or it works in a completely different manner.

Then i would like to know how are chosen the estimations to compute some metrics like for example the “Security remediation effort”. I read the documentation and i got an idea, but it is not clear which is the criteria behind the estimation. For example if i define an estimantion to compute the time to fix one line of code, that estimation is completely up to me or there is a mathematical reason?



I have the sense that these questions are coming from an attempt to compare SonarQube with some other tool on an apples-to-apples basis, but I think you’re probably dealing with apples and oranges instead. The introduction to analysis might help.

For remediation effort / Technical Debt estimates, they’re just that: estimates. They’re the time that we (SonarSource staff) estimate it would take an average developer to hand an issue on an average day. If you find that some of the estimates are off base, please do tell us.