On the 15th of September, 2025, Sonar finally released the long-awaited Software Composition Analysis (SCA) to SonarQube Advanced Security for SonarQube Cloud!
Software Composition Analysis (SCA) is an ideally automated process that analyzes software codebases to identify or detect embedded open-source software/components. The identified/detected dependencies form the basis for the following features that SCA tools typically offer.
- Detection of known security vulnerabilities based on data from
common vulnerabilities and exposures(CVE) databases - Detection of license violations to avoid legal, compliance and business risks introduced by incompatible licenses
- Creation of
Software Bill of Materials(SBOM) to gain visibility into the software supply chain
For a comprehensive overview of SonarQube Advanced Security features, check out the official blog post announcing the release.
Let’s now take a look at how the above features have been implemented in SonarQube Cloud.
IMPORTANT NOTES
SonarQube Advanced Security for SonarQube Cloud requires SonarQube Cloud Enterprise plan!
I had the opportunity to use the features in the preview version. I was impressed not only by how easy it was to use, but also by the predefined licensing policies.
Dependency Risks
If activated, there is a new tab in SonarQube Cloud called Dependency Risks which shows the dependencies that are not compliant with the license profile you selected.
The super cool thing is, that SonarQube Cloud provides a bunch of predefined licensing profiles like Permissive open-source licenses which make life easier.
Inventory > Dependencies
Here you can find a list of all dependencies (including transitive dependencies) of your source code including the possibility to export this list to a standardized format like CycloneDX (JSON or XML) or SPDX 2.3 (JSON or XML).
SonarQube Cloud can analyze the dependencies of multiple tech stacks in one build setup without the need of configuring multiple setups.
In addition to all the positive aspects, I see the incomplete license classification in particular as an area in need of improvement. Apart from that, it’s one of the best solutions I’ve seen so far. Well done!
UPDATE 29.10.2025
After closer examination, I must revise my statement regarding incomplete license classification. Non-standard licenses – licenses not covered by SPDX – are intentionally prefixed with LicenseRef- which has led to confusion on my side. May something to improve from a usability perspective to make it more obvious.
blog.rufer.be 
Leave a comment