Hi All,
I want to know a small info on whether sonarqube version 9.3 & 9.5 has any affect with CVE-2022-42889
We have verified the source code on github, couldn’t see any library related to org.apache.commons:commons-text so want to get the confirmation on the same.
We have SonarQube Developer Edition and we we would also like to know whether SonarQube is vulnerable for CVE-2022-24889. And if so, what versions. Can someone from SonarSource provide a statement?
Thank you for reaching out to us; we take all customer vulnerability reports very seriously.
None of these SonarQube versions are vulnerable to CVE-2022-42889. However, SQ 9.3 and 9.5 are no longer supported; hence our advice is to update to the last release, 9.7, which of course, is not vulnerable either.
Please let me know if you have any further questions.
While it’s important to note that you should always be on the latest version or latest point release of the LTS, SonarQube versions aren’t vulnerable to this because it doesn’t use the dependency in a way that would expose it to the vulnerability.
Apologies for hijacking this thread but you might need to check for the plugins you have installed, these plugins are not supported here.
The findbugs plugin is not maintained by Sonarsource but bundles commons-text.
Version 4.2.2 of the plugin (released yesterday / October 21st) upgraded to commons-text 1.10
As far as I can see is securityjavafrontend a bundled plugin within the distributed ZIP file. Am I right and if so, can you assure that my scanner is mistaken or is this plugin indeed using the vulnerable commons-text version?
Hi,
We are using Sonarqube developer edition 8.9.6. Are you planning to update the commons_text dependency version to 1.10.0 and release a patch version for 8.9.6?(Just to be safe) Please confirm.
On a related note, your instance may already be vulnerable to other issues because it’s not updated. SonarQube 8.9.6 was released in 2021, the latest LTS version is 8.9.10 .
SonarQube is not vulnerable to CVE-2022-42889–neither v8.9.10 LTS or v9.7.
org.apache.commons.text.StringSubstitutor, the use of which can lead to a vulnerability, is not used in either version.
We will in any case update the dependency version (or try to drop it entirely) in future SonarQube versions (starting with v9.8) to suppress the warning. There are no plans at the moment to update v8.9 LTS.
Could you confirm if that’s a typo on the CVE in your message? Should it be CVE-2022-42889 instead of 32889?
Could you also confirm if 8.9.6 is impacted, I know you mentioned we should update to the latest 8.9.10 LTS but wanted to see if 8.9.6 is vulnerable as well.
This version has been EOL for almost two years. You should upgrade to a supported version (8.9.10 or 9.7). We won’t offer any statement on EOL versions of SonarQube which, by their very nature of longer being supported, represent an operational/security risk if you’re still using your one.
Im using sonarqube enterprise and was upgrade to latest version 9.7 but vulnerable still exists
/data/sonarqube/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
/data/sonarqube/temp/ce-exploded-plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
May you can give me recommendation to solved this issue ?, is it possible if I replace version by manually ?
Thus, having the jar does not make SonarQube 9.7 - or other versions - vulnerable. There is no recommendation to “solve the issue” because there is no issue. You should not tamper with the SonarQube distribution, but use it as-is.
@ganncamp Ann, it is understandable what you say, however typically security people which do these scans consider the fact that jar files exists automatically a security issue. Also the sonar scanner seems to use sonar-securityjavafrontend-plugin.jar file as well… On the side note, when is the next LTS release coming up ( planned) ? It is mentioned here that some of the fixes may be in the new release of the product, but not necessarily a patch to the LTS version.