Using Sonarqube, can I get alert when there is a CVE on a dependency ? I track software quality on Sonarqube and I have read about the dependency check integration. But it seems quite different from the dependency track platform where notifications can be triggered when a CVE affect a previous release.
Is CVE notifications on older releases available in SonarQube (with or without plugins)
Usually CVEs affect old releases of open-source libraries because, if a library is actively developed, its authors release a new fixed version before that the CVE is disclosed.
A tool like Dependency Check examine the dependencies of your application and reports CVEs even (let's say specially!) if the "CVE affect a previous release", as you say.
I use it as a Maven plugin and, apart from false positives, it does a great job.
