Depencencies' vulnerabilities on Sonarqube Community 10.0.0

Hello team,

Running a Trivy security scan to the latest Community Docker image returned some CVEs dependencies-related:

  • CVE-2022-41915
  • CVE-2022-45688
  • CVE-2023-33264
  • CVE-2022-45868

Could you confirm whether Sonarqube is affected by these vulnerabilities and if so, are there plans to update the affected depencencies?

Steps to reproduce:

$ trivy image --vuln-type library sonarqube:10-community

Hey there.

On these three:

CVE-2022-41915 - Netty is only used internally for testing - Not vulnerable
CVE-2022-45688 - The vulnerable method is not used in SonarQube - Not vulnerable. We will update the dependency anyways in SonarQube 10.1.
CVE-2022-45868 - The h2 console is not used by SonarQube. - Not Vulnerable

I am following up on CVE-2023-33264 which looks rather new. I will make this post private for now until we come back with an update.

1 Like

Hey there.

CVE-2023-33264 - Not vulnerable. There is no usage of ConfigXmlGenerator and we don’t use Hazelcast Management Center.“*

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.