Hi

I would like to have additional informations about sonarqube working but focusing on vulnerabilities analysis.

In particular i don’t understand how sonarqube performs these analysis and if all the rules (of vulnerabilities) are on an external DB and are retrieved to perform the analysis or it works in a completely different manner.

Then i would like to know how are chosen the estimations to compute some metrics like for example the “Security remediation effort”. I read the documentation and i got an idea, but it is not clear which is the criteria behind the estimation. For example if i define an estimantion to compute the time to fix one line of code, that estimation is completely up to me or there is a mathematical reason?

Thanks