diff --git a/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java b/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java
index 449c272c8df..6a904f15ee5 100644
--- a/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java
+++ b/sonar-plugin-api-impl/src/main/java/org/sonar/api/batch/sensor/issue/internal/DefaultExternalIssue.java
@@ -44,6 +44,7 @@ public class DefaultExternalIssue extends AbstractDefaultIssue<DefaultExternalIs
   private RuleType type;
   private String engineId;
   private String ruleId;
+  private String cveId;
   private Map<SoftwareQuality, org.sonar.api.issue.impact.Severity> impacts = new EnumMap<>(SoftwareQuality.class);
   private CleanCodeAttribute cleanCodeAttribute;
 
@@ -84,6 +85,10 @@ public class DefaultExternalIssue extends AbstractDefaultIssue<DefaultExternalIs
     return ruleId;
   }
 
+  public String cveId() {
+    return cveId;
+  }
+
   @Override
   public Severity severity() {
     return this.severity;
@@ -131,6 +136,11 @@ public class DefaultExternalIssue extends AbstractDefaultIssue<DefaultExternalIs
     return this;
   }
 
+  public NewExternalIssue cveId(String cveId) {
+    this.cveId = cveId;
+    return this;
+  }
+
   @Override
   public DefaultExternalIssue forRule(RuleKey ruleKey) {
     this.engineId = ruleKey.repository();
diff --git a/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java b/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java
index 66329f4e6ac..d09209bb2c7 100644
--- a/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java
+++ b/sonar-scanner-engine/src/main/java/org/sonar/scanner/issue/IssuePublisher.java
@@ -37,6 +37,7 @@ import org.sonar.api.batch.sensor.issue.Issue;
 import org.sonar.api.batch.sensor.issue.Issue.Flow;
 import org.sonar.api.batch.sensor.issue.MessageFormatting;
 import org.sonar.api.batch.sensor.issue.NewIssue.FlowType;
+import org.sonar.api.batch.sensor.issue.internal.DefaultExternalIssue;
 import org.sonar.api.batch.sensor.issue.internal.DefaultIssueFlow;
 import org.sonar.api.issue.impact.SoftwareQuality;
 import org.sonar.api.rules.CleanCodeAttribute;
@@ -88,9 +89,9 @@ public class IssuePublisher {
   private static boolean noSonar(DefaultInputComponent inputComponent, Issue issue) {
     TextRange textRange = issue.primaryLocation().textRange();
     return inputComponent.isFile()
-           && textRange != null
-           && ((DefaultInputFile) inputComponent).hasNoSonarAt(textRange.start().line())
-           && !StringUtils.containsIgnoreCase(issue.ruleKey().rule(), "nosonar");
+      && textRange != null
+      && ((DefaultInputFile) inputComponent).hasNoSonarAt(textRange.start().line())
+      && !StringUtils.containsIgnoreCase(issue.ruleKey().rule(), "nosonar");
   }
 
   public void initAndAddExternalIssue(ExternalIssue issue) {
@@ -176,7 +177,11 @@ public class IssuePublisher {
     locationBuilder.setComponentRef(componentRef);
     TextRange primaryTextRange = issue.primaryLocation().textRange();
 
-    //nullable fields
+    // nullable fields
+    var cveId = ((DefaultExternalIssue) issue).cveId();
+    if (cveId != null) {
+      builder.setCveId(cveId);
+    }
     CleanCodeAttribute cleanCodeAttribute = issue.cleanCodeAttribute();
     if (cleanCodeAttribute != null) {
       builder.setCleanCodeAttribute(cleanCodeAttribute.name());
diff --git a/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java b/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java
index e3f282977fa..5751aada0f8 100644
--- a/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java
+++ b/sonar-scanner-engine/src/testFixtures/java/org/sonar/scanner/mediumtest/AnalysisResult.java
@@ -199,6 +199,10 @@ public class AnalysisResult implements AnalysisObserver {
     return readFromReport(ScannerReportReader::readAdHocRules);
   }
 
+  public List<ScannerReport.Cve> cves() {
+    return readFromReport(ScannerReportReader::readCves);
+  }
+
   @NotNull
   private <G> List<G> readFromReport(InputComponent component, BiFunction<ScannerReportReader, Integer, CloseableIterator<G>> readerMethod) {
     int ref = ((DefaultInputComponent) component).scannerId();
diff --git a/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto b/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
index fddf8881f31..0a3fa17c4ee 100644
--- a/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
+++ b/sonar-scanner-protocol/src/main/protobuf/scanner_report.proto
@@ -216,7 +216,7 @@ message ExternalIssue {
   repeated MessageFormatting msgFormatting = 9;
   repeated Impact impacts = 10;
   optional string cleanCodeAttribute = 11;
-
+  optional string cve_id = 12;
 }
 
 message AdHocRule {
@@ -234,8 +234,8 @@ message Cve {
   string cve_id = 1;
   string description = 2;
   float cvss_score = 3;
-  float epss_score = 4;
-  float epss_percentile = 5;
+  optional float epss_score = 4;
+  optional float epss_percentile = 5;
   int64 published_date = 6;
   int64 last_modified_date = 7;
   repeated string cwe = 8;