We use Nessus to assess servers for vulnerabilities in our environment. When scanning our server being used for SonarQube, we are showing a finding for Tomcat default files being present. https://www.tenable.com/plugins/nessus/12085
When testing a non-existent path under the sonarqube context (e.g. http://server.com:9000/sonarqube/badpath), we received a custom error page (this is the desired functionality).
However, when accessing a page outside of the sonarqube context (e.g. http://server.com:9000/badpath), we receive the default apache error page, which includes tomcat version information. It appears that tomcat might be embedded, so i don’t see any applicable conf files where we could change this behavior.
Is there any way to disable/modify the tomcat error page?
As a mitigation, we put sonarqube behind an apache service so we can control the error show for non-existent paths, but this doesn’t necessarily solve the core complaint of the vulnerability scanner.
Thank you for any help you can provide.