Is Crowd (sonar-crowd) plugin for Sonarqube affected by Spring4Shell vulnerability (CVE-2022-22965)

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) - Sonarqube EE v9.2.4
  • what are you trying to achieve - To check if the sonar-crowd plugin (v2.2.0) that we have integrated with Sonarqube application is affected by security vulnerability - CVE-2022-22965 (Spring4Shell)
  • what have you tried so far to achieve this - R&D, but still we doubt if we have any impact from the plugin to the application.

Hey there.

This plugin is not developed, supported or maintained by SonarSource. You can have a look at the repo here: GitHub - deepy/sonar-crowd (although it has been archived by the maintainer) and check the code for any utilization of spring.