Hi,
I’ve unlisted your topic since you’re reporting a potential vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. Could you please re-send this to security@sonarsource.com!
I know this might seem like overkill, but we really try and funnel CVE reports to a central place since, given the nature of software/dependency checks today, they are never ending (and rarely a real vulnerability)