We use Sonatype Nexus IQ Firewall on a proxied NuGet repository and the dotnet-sonarscanner (all versions) is being quarantined because it depends on and comes packaged with a vulnerable version of Newtonsoft.Json. Is SonarQube planning to update the Newtonsoft.Json package used in the dotnet-sonar…

Dotnet-sonarscanner using vulnerable Newtonsoft.Json package

Andrei_Epure (Andrei Epure) December 16, 2021, 2:47pm 3

Hello.

What is the version of the scanner that you are using?

For responsible disclosure of CVEs, please follow this guide: Responsible Vulnerability Disclosure

2 Likes

Topic		Replies	Views
Can SonarCloud detect a recently disclosed vulnerability with Newtonsoft.Json? SonarQube Cloud dotnet	1	815	August 18, 2022
Scanner for .NET v10 released Sonar Updates scanner , dotnet	0	68	March 14, 2025
.NET - Nuget vulnerability scanning SonarQube Cloud	1	1908	January 9, 2023
Bug: duplicate key with different file casing (sonar scanner .NET) SonarQube Server / Community Build sonarqube , scanner , dotnet	5	503	August 9, 2024
Object deserialization is used in package name - solution does not seem to work SonarQube Server / Community Build	2	781	September 5, 2022