Can delete log4j jars from SonarQube 7.5 Version and can we proceed to run / use SonarQube

Hi All,

Please find my comments inline and could you help to get solution for below scenario/possibility

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Version number: SonarQube 7.5

  • what are you trying to achieve
    Will we be able to delete log4j jars from SonarQube 7.5 and proceed to run / use SonarQube?*

    In the SonarQube 7.5 folder, log4j libraries available in the below mentioned paths
    \sonarqube-7.5\lib\common
    \sonarqube-7.5\elasticsearch\lib\

  • what have you tried so far to achieve this
    We want to overcome log4j vulnerability

Hi @ars_Suresh ,

Welcome to the community! Your version of SonarQube is way out of date, and log4j is likely not the only vulnerability in there. Rather than butchering your SonarQube install by removing libraries I’d recommend updating to a supported version, where the log4j issue is fixed properly.

Your upgrade path is 7.5 → 7.9.6 LTS → 8.9.6 LTS → (optional) 9.2.4

Thanks @cba for your kind reply.

Our project have limitation of Java 8 version, could you please provide solution/suggest to overcome log4 vulnerability with current installed sonar version 7.5 (without upgrade)

Hi @ars_Suresh ,

You won’t be able to fix the log4j issue with the 7.5 version, but you can analyze Java 8 code with SonarQube versions 8 and 9 with no issues.

There are a few forum threads that explain this a bit (I’ve seen lots more):

https://community.sonarsource.com/search?q=java%208

And the documentation speaks to that as well:
https://docs.sonarqube.org/latest/analysis/languages/java/#header-2