CVE-2021-43616 is sonar-scanner

  • Sonar Scanner 4.7.0.2747
  • what are you trying to achieve - scan the image cleanly with twistlock (or any other CVE ‘finder’)

The latest version of Sonar Scanner is affected by CVE-2021-43616 which is a critical vulnerability in npm that is fixed in versions 8.10.0-r0 and higher

I couldn’t find a specific reference to an npm version, but I did see node 10 referenced in the Dockerfile.

EDIT: Looks like someone opened an issue on the github repo, which I failed to find before posting here

Hey there.

Thanks for the report. We don’t consider that we’re vulnerable. Nevertheless, we will remove npm from the next release.

https://jira.sonarsource.com/browse/DOCKER-69

In the future, please follow this guide on responsible vulnerability disclosure: