Thank you @ganncamp Ann ! 
@ganncamp Any chance this will be in the next 9.7 patch release?
Hi @mkim,
Welcome to the community!
- We’re not planning another 9.7 patch
- There’s no “this” to include in it. SonarQube is not affected by CVE-2022-42889
Ann
@ganncamp That’s been stated multiple times so I get it, unfortunately this is not acceptable to our security folks so I have to reemphasize the first statement by @EugeneL
Hi,
Fair enough. I’ve pinged internally, but I don’t expect any movement.
Ann
When i am executing the sonarqube task in my gradle project .The .sonar folder gets created and inside it i am able to find the commons-text library which is having vulnerability .
/.sonar/cache/80d9311b88f4c25555863d476af6a6be/sonar-findbugs-plugin.jar_unzip/META-INF/lib/commons-text-1.9.jar
/.sonar/cache/3314cd4f9160350d8f07cc8ab42fdc2d/sonar-securityjavafrontend-plugin.jar_unzip/META-INF/lib/commons-text-1.8.jar
Have tried upgrading the sonarqube-gradle-plugin version to 3.3 but no luck .
Can someone please help to resolve the commons-text-1.8 and commons-text-1.9 jar vulnerability problem on urgent basis.
To which sonarqube-gradle-plugin to upgrade ?
Hi @Avanti,
Welcome to the community!
I’ve moved your post to a more-relevant thread.
Note the sonar-findbugs-plugin.jar in the path you posed. FindBugs is a 3rd-party plugin, which you use at your own risk. If you have concerns about it, I suggest you contact its maintainers. And perhaps uninstall in the meantime.
Ann
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.