Running a Trivy security scan in the latest Community Docker image returned some CVEs dependencies-related for which I couldn’t find any info on the forums or Sonarqube’s issue tracker.
CVE-2022-3509
CVE-2022-3510
Could you confirm whether Sonarqube is affected by these vulnerabilities and if so, are there plans to update the affected depencencies?
I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. But I’ll let them know about this thread.
Thanks for your report. After preliminary investigation, we found record of having mitigated the low-in-SonarQube risk of these CVEs in 9.9, so it’s odd to see you re-finding them in 10.1. we’re going to look further into this.
We found that a bundled library depends on a vulnerable version of protobuf. However, no protobuf messages are serialized/unserialized in the context of that library. And the vulnerable version of protobuf is not propagated to the rest of the SonarQube application. Therefore, there’s no vulnerability.
Nonetheless, we plan to clean up this vulnerable dependency and begin regular security scans of the library.