CVE-2021-43616 is sonar-scanner

  • Sonar Scanner
  • what are you trying to achieve - scan the image cleanly with twistlock (or any other CVE ‘finder’)

The latest version of Sonar Scanner is affected by CVE-2021-43616 which is a critical vulnerability in npm that is fixed in versions 8.10.0-r0 and higher

I couldn’t find a specific reference to an npm version, but I did see node 10 referenced in the Dockerfile.

EDIT: Looks like someone opened an issue on the github repo, which I failed to find before posting here

Hey there.

Thanks for the report. We don’t consider that we’re vulnerable. Nevertheless, we will remove npm from the next release.

In the future, please follow this guide on responsible vulnerability disclosure: