CVE-2022-42889 effect on SonarQube

Thank you @ganncamp Ann ! :+1:t2:

@ganncamp Any chance this will be in the next 9.7 patch release?

Hi @mkim,

Welcome to the community!

  • We’re not planning another 9.7 patch
  • There’s no “this” to include in it. SonarQube is not affected by CVE-2022-42889


@ganncamp That’s been stated multiple times so I get it, unfortunately this is not acceptable to our security folks so I have to reemphasize the first statement by @EugeneL


Fair enough. I’ve pinged internally, but I don’t expect any movement.


When i am executing the sonarqube task in my gradle project .The .sonar folder gets created and inside it i am able to find the commons-text library which is having vulnerability .


Have tried upgrading the sonarqube-gradle-plugin version to 3.3 but no luck .

Can someone please help to resolve the commons-text-1.8 and commons-text-1.9 jar vulnerability problem on urgent basis.
To which sonarqube-gradle-plugin to upgrade ?

Hi @Avanti,

Welcome to the community!

I’ve moved your post to a more-relevant thread.

Note the sonar-findbugs-plugin.jar in the path you posed. FindBugs is a 3rd-party plugin, which you use at your own risk. If you have concerns about it, I suggest you contact its maintainers. And perhaps uninstall in the meantime.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.