Disable ElasticSearch Attachment Processor within SonarQube

Our instance of SonarQube was flagged as having an out-of-date Elasticsearch version (8.11.0) that contains security vulnerabilities. We must upgrade the ElasticSearch version (8.11.0) to (8.11.1). Due to external factors related to internal automation software, we cannot upgrade the SonarQube version now. As per the community’s response, it is impossible to upgrade ElasticSearch alone.
Question here is can we disable the attachment processor in ElasticSearch within the Sonarqube using the below config in sonar-conf.properties? If yes, do we have any impacts on SQ working? Please suggest.

Config to disable ES attachment processor within SQ:

Disable Elasticsearch attachment processor

sonar.search.javaAdditionalOpts=-Dsonar.search.javaAdditionalOpts=-Dsonar.search.elasticsearch.nodesIngest=0

I am referring to ElasticSearch Security Update documentation - Elasticsearch 8.11.1 Security Update (ESA-2024-05) - Security Announcements - Discuss the Elastic Stack

Hi,

I believe SonarQube distribution doesn’t even include the ElasticSearch attachment processor module.

1 Like