which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Developer Edition Version 8.9.6 (build 50800)
what are you trying to achieve
Our internal security team has found vulnerability with apache-commons-text library. We checked and found SQ is also using that library with version 1.8
So we want to know if we should ignore this or there is a mitigation recommended from SonarQube.
Library was found in below location:
I understand that SonarQube is not vulnerable to CVE-2022-42889, but it is planned a new version with the last commons-text jar ? I’m using 8.9 LTS, and unfortunately our Global security team has stringent policy about vulnarabilities. They expect the software to use non-vulnerable files.
thank you for your tips. The version 9.8 or the next 9.9 LTS will solve the CVE-2022-42889 ? The commons-text jar is the last version ?
I don’t understand why 8.9 LTS it’s not update with the last version of jar commons-text . Normaly LTS meaning that software was supported for issues and bugs.
We just upgraded to the latest 9.8 version (EE) and
Our enterprise vulnerability scans still pick up on CVE-2022-42889.
In previous forum discussions it seems that this vulnerability does not affect sonarqube, but we have strict rules that vulnerable files cannot be used. It was also said manual patch is not recommended. In some replies I thought it was implied that the use of these vulnerabile files would be fixed in 9.8 or 9.9. Can I get a confirmation or an update on the progress for this?
SQ 9.8 was shipped with commons-text 1.10.0, which patches CVE-2022-42889.
Which scanner did you use? Can you provide more details about your finding (e.g. on what path(s) this vulnerability was found)?