High CVEs in SonarScanner embedded JRE

sodul · April 9, 2024, 10:15pm

We download the scanner from SonarScanner CLI which comes with JRE 17.0.7.

Unfortunately this version contains several High CVEs that our internal security scans are flagging.

Can a new release of the scanner binaries be performed with a newer version of the JRE with fixes?

I see that there is a ticket tracking this:
https://sonarsource.atlassian.net/browse/SCANCLI-129

which is based on a closed PR in the public repo:

github.com/SonarSource/sonar-scanner-cli

Bump JDK from `17.0.7+7` to `17.0.10+7`

SonarSource:master ← danilo-delbusso:jdk_bump

opened 01:32PM - 04 Apr 24 UTC

danilo-delbusso

+9 -9

#### Please explain your motives to contribute this change: what problem you are… trying to fix, what improvement you are trying to make My team's analysers are flagging the CLI in containers because the version of the JDK shipped with the binary contains three high CVEs: - CVE-2024-20952 - CVE-2024-20932 - CVE-2024-20918 A simple bump should address the issue. Note that the CLI still reports other vulnerabilities. For those, there already is an open PR: https://github.com/SonarSource/sonar-scanner-commons/pull/162 #### Use the following formatting style: [SonarSource/sonar-developer-toolset](https://github.com/SonarSource/sonar-developer-toolset#code-style) N/A #### Provide a unit test for any code you changed N/A #### If there is a [JIRA](http://jira.sonarsource.com/browse/SQSCANNER) ticket available, please make your commits and pull request start with the ticket ID (SQSCANNER-XXXX) [No matching ticket found](https://sonarsource.atlassian.net/jira/software/c/projects/SQSCANNER/issues/SQSCANNER-117?jql=project%20%3D%20%22SQSCANNER%22%20AND%20text%20~%20%22jdk%22%20ORDER%20BY%20created%20DESC)

Raising this here so others can track progress more easily.

Alexandre_Gigleux · May 28, 2024, 8:09am

Hello @sodul,

Sorry for the delay. The release of the Scanner CLI 6.0 containing the fixed JRE is scheduled for this week.

Alex