We spotted the following CVEs of “HIGH” severity after scanning the official sonarqube:8.9.9-enterprise Docker image using Trivy:
https://nvd.nist.gov/vuln/detail/CVE-2022-30065
https://nvd.nist.gov/vuln/detail/CVE-2022-2097
https://nvd.nist.gov/vuln/detail/CVE-2022-29458
Is it safe to use this image for production?
Hi Jerry,
Thanks for your report!
I’ve forwarded this report to our security team. So you know, our disclosure policy calls for a more private reporting of potential vulnerabilities, so I’ve “unlisted” this topic.
Chris
Hi Jerry,
These findings should no longer be there. The SonarQube Docker image uses Alpine v3.13 as the base image, and the image was recently re-built and now includes all fixes from Alpine v3.13.12.
Please pull the latest LTS image to get the latest updates. You should feel safe to use this image.
Chris