Hello team,
Running a Trivy security scan to the latest Community Docker image returned some CVEs dependencies-related:
Could you confirm whether Sonarqube is affected by these vulnerabilities and if so, are there plans to update the affected depencencies?
Steps to reproduce:
$ trivy image --vuln-type library sonarqube:10-community
Hey there.
On these three:
CVE-2022-41915 - Netty is only used internally for testing - Not vulnerable
CVE-2022-45688 - The vulnerable method is not used in SonarQube - Not vulnerable. We will update the dependency anyways in SonarQube 10.1.
CVE-2022-45868 - The h2 console is not used by SonarQube. - Not Vulnerable
I am following up on CVE-2023-33264 which looks rather new. I will make this post private for now until we come back with an update.
Hey there.
CVE-2023-33264 - Not vulnerable. There is no usage of ConfigXmlGenerator and we don’t use Hazelcast Management Center.“*
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.