Hi team,
Running a Trivy security scan in the latest Community Docker image returned some CVEs dependencies-related for which I couldn’t find any info on the forums or Sonarqube’s issue tracker.
Could you confirm whether Sonarqube is affected by these vulnerabilities and if so, are there plans to update the affected depencencies?
Steps to reproduce:
$ trivy image --vuln-type library sonarqube:10.1.0-community
Thanks in advance!
Hi,
I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email security@sonarsource.com rather than making public posts. But I’ll let them know about this thread.
Ann
Hi,
Thanks for your report. After preliminary investigation, we found record of having mitigated the low-in-SonarQube risk of these CVEs in 9.9, so it’s odd to see you re-finding them in 10.1. we’re going to look further into this.
Ann
Hi,
Thanks for your patience.
We found that a bundled library depends on a vulnerable version of protobuf. However, no protobuf messages are serialized/unserialized in the context of that library. And the vulnerable version of protobuf is not propagated to the rest of the SonarQube application. Therefore, there’s no vulnerability.
Nonetheless, we plan to clean up this vulnerable dependency and begin regular security scans of the library.
HTH,
Ann