Hey all.
- SonarQube is not vulnerable to CVE-2022-42889–neither v8.9.10 LTS or v9.7.
-
org.apache.commons.text.StringSubstitutor, the use of which can lead to a vulnerability, is not used in either version. - We will in any case update the dependency version (or try to drop it entirely) in future SonarQube versions (starting with v9.8) to suppress the warning. There are no plans at the moment to update v8.9 LTS.
We will keep you posted if anything changes.