Following Up On SonarQube Security Vulnerabilities

Background

  • SonarQube
  • Developer Edition
  • Dockerized
  • v10.6 (92116)

Want

I would like to be notified about security vulnerabilities of SonarQube itself. This would include what security fixes an update covers or if available when there is a zero-day attack what are the remedies recommended by SonarSource before a fix is implemented.

Has Been Done

I have looked into SonarSource/Qube websites but haven’t come across something. Yes, there is a blog but…

Preferred

My preferred method would be communication via email as updates are pushed or vulnerabilities are found.

Is there such a channel? Thanks.

Hi,

Welcome to the community!

There’s no channel for this. When we discover a vulnerability, we assess and then possibly address it. It will be represented in Jira as a ticket titled something like “Fix SSF-nnn”.

It’s our policy to update such tickets with the vulnerability details 90 days after the versions containing the fixes are released.

 
HTH,
Ann