Hi G,
SQ is using 8.9.6 LTS - specifically the patched for log4j vulnerability version of it. We are looking for solution if we use parameter by constant then how can remove bugs .
Yes, its for JAVA code.
SonarQube server is 8.9.6 LTS version.
Sonarqube client is sonar-scanner-3.3.0.1492-linux version.
Development team is using “SonarLint for Eclipse 5.9” configured in their local IDE.
We met scan result difference between SonarLint and sonarqube client. Please help resolve or suggest.
comment:
the first 2 constant variables are set in the java file itself.
the last 3 constant variables are set from StoreLocatorDataLoadConstants.java outside
for above source code, scan result for SonarLint 5.9 is PASS, but show vulnerability in sonarqube client ‘sonar-scanner-3.3.0.1492-linux’.
then we change the code into below. Scan results for both SonarLint and sonarclient are PASS. But it’s NOT comply to the coding standard to use the plain URL of strings instead of using java constant variables. It would violate coding standard .
And under the assumption that you are working together…
You should replace that “patched” version with the standard one. There’s no need to patch the latest versions of SonarQube; they’re upgraded past vulnerability.
Please replace your patched version with a standard download and come back to us if the problem persists.
Hi Ann,
We upgrade our SQ server from 8.9.6 LTS into 8.9.7. and still got vulnerability for constant variable
If we use plain text URL in code, the scan is pass.
Please advise, thanks.
I really don’t understand what you’re trying to communicate, but at this point it doesn’t seem to have much to do with the original post. Please open a new thread and start from the beginning.