Introduction to SonarQube Advanced Security

Advanced Security is available in SonarQube Cloud as an add-on starting in the Enterprise Plan.

Overview

SonarQube Advanced Security is an Enterprise add-on that extends SonarQube’s capabilities by offering deeper security analysis and compliance-focused features such as Software Composition Analysis (SCA) and advanced SAST. 

Designed for organizations that require enterprise-grade application security, it helps developers detect vulnerabilities and risks in open source code early in the software development lifecycle.

Advanced Security is built on top of SonarQube core security features such as:

• SAST: Analyzes source code to detect vulnerabilities, security hotspots, and flaws.
• Taint Analysis: Tracks untrusted user input with data flow analysis across functions and files to find injection and other vulnerabilities.
• Secrets Detection: Identifies hardcoded secrets in code repositories.
• IaC Scanning: Detects misconfigurations and security issues in your infrastructure definitions.

As well as features that are already part of Enterprise:

• Security Engine Custom Configuration: Fine tune security engine settings for enterprise needs.
• Security Reports: Comprehensive security reports such as PCI DSS, OWASP Top 10, CWE Top 25, STIG, CASA

Software Composition Analysis (SCA)

SonarQube Cloud can identify your open source dependencies and discover issues with them, ensuring security and compliance. 

• Vulnerability identification: Tracking, managing, & mitigating third-party vulnerabilities, including Common Vulnerabilities and Exposures (CVE).
• License management: Your organization’s policies for allowed software licenses.
• Software Bills of Materials (SBOM): Inventories that help understand, manage, and report on the composition of the code.

The analysis results appear in the Dependency Risks and Dependencies sections of projects, applications, and portfolios. The Dependencies tab's location differs if you're in a project or portfolio.

Supported platforms

Dependency analysis is currently available for the following languages: 

• JavaScript/TypeScript (npm, yarn, pnpm, bun)
• Java, Kotlin, Scala (Maven, Gradle)
• Python (pip, poetry, pipenv)
• C# / .NET (nuget)
• Go
• Ruby (bundler)
• Rust (Cargo)
• PHP

Data sources

Sonar uses the following sources of vulnerability data:

• NVD
•  OSV
•  EPSS
• CISA KEV

The Sonar service accesses these sites regularly to get the latest updates, and supplements it with manual research as well as insights from open source maintainers.

Sonar uses license data from upstream package managers and source repositories, and supplements it with manual research as well as insights from open source maintainers.

Advanced SAST

SonarQube Cloud is a Static Application Security Testing (SAST) tool. It examines your project's source code, without executing it, allowing you to find vulnerabilities before they enter your codebase.

The categories of issue types detected through SAST include SQL injection, cross-site scripting, deserialization, secret detection, and more. See Security related rules for more information.

Advanced SAST extends code analysis and scanning to cover the unknown parts of the code that are in the open-source dependencies. It helps you identify deeper and more complex vulnerabilities due to the interaction of your application code with third-party (open-source) code.

Advanced SAST is available for the following languages:

• JavaScript/TypeScript
• Java 
• C# / .NET

Related pages

• Viewing dependencies
• Reviewing and fixing dependency risks
• Analyzing projects for dependencies
• Managing license profiles and policies
• Troubleshooting
• Best practices for managing dependency risks