Hi,
We are using Sonarqube developer edition 8.9.6. Are you planning to update the commons_text dependency version to 1.10.0 and release a patch version for 8.9.6?(Just to be safe) Please confirm.
On a related note, your instance may already be vulnerable to other issues because it’s not updated. SonarQube 8.9.6 was released in 2021, the latest LTS version is 8.9.10 .
SonarQube is not vulnerable to CVE-2022-42889–neither v8.9.10 LTS or v9.7.
org.apache.commons.text.StringSubstitutor, the use of which can lead to a vulnerability, is not used in either version.
We will in any case update the dependency version (or try to drop it entirely) in future SonarQube versions (starting with v9.8) to suppress the warning. There are no plans at the moment to update v8.9 LTS.
Could you confirm if that’s a typo on the CVE in your message? Should it be CVE-2022-42889 instead of 32889?
Could you also confirm if 8.9.6 is impacted, I know you mentioned we should update to the latest 8.9.10 LTS but wanted to see if 8.9.6 is vulnerable as well.
This version has been EOL for almost two years. You should upgrade to a supported version (8.9.10 or 9.7). We won’t offer any statement on EOL versions of SonarQube which, by their very nature of longer being supported, represent an operational/security risk if you’re still using your one.
Im using sonarqube enterprise and was upgrade to latest version 9.7 but vulnerable still exists
/data/sonarqube/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
/data/sonarqube/temp/ce-exploded-plugins/securityjavafrontend/META-INF/lib/commons-text-1.8.jar
May you can give me recommendation to solved this issue ?, is it possible if I replace version by manually ?
Thus, having the jar does not make SonarQube 9.7 - or other versions - vulnerable. There is no recommendation to “solve the issue” because there is no issue. You should not tamper with the SonarQube distribution, but use it as-is.
@ganncamp Ann, it is understandable what you say, however typically security people which do these scans consider the fact that jar files exists automatically a security issue. Also the sonar scanner seems to use sonar-securityjavafrontend-plugin.jar file as well… On the side note, when is the next LTS release coming up ( planned) ? It is mentioned here that some of the fixes may be in the new release of the product, but not necessarily a patch to the LTS version.
@ganncamp That’s been stated multiple times so I get it, unfortunately this is not acceptable to our security folks so I have to reemphasize the first statement by @EugeneL
When i am executing the sonarqube task in my gradle project .The .sonar folder gets created and inside it i am able to find the commons-text library which is having vulnerability .
Have tried upgrading the sonarqube-gradle-plugin version to 3.3 but no luck .
Can someone please help to resolve the commons-text-1.8 and commons-text-1.9 jar vulnerability problem on urgent basis.
To which sonarqube-gradle-plugin to upgrade ?
Note the sonar-findbugs-plugin.jar in the path you posed. FindBugs is a 3rd-party plugin, which you use at your own risk. If you have concerns about it, I suggest you contact its maintainers. And perhaps uninstall in the meantime.