IS Sonar Developer edition version 9.2.4 affected by Spring Framework Vulenrability CVE-2022-22963

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Developer Edition 9.2.4

  • what are you trying to achieve
    We have deployed Sonarqube in AWS ec2 instance. Wanted to know this version fo Sonar is effected or not with Spring Framwork vulnerability

  • If it is impacted please guide us with Recommendations

Hey there.

SonarQube is not impacted.

1 Like

Even for 9.3 developer edition, I assume SQ is not impacted. Please correct me if I am wrong.

I would also like to see an announcement from Sonarqube - as done with Log4Shell SonarQube, SonarCloud, and the Log4J vulnerability - #142 by jf2009 - about if Sonarqube 8.9.x LTS, 9.x are affected or not.

SonarQube 8.9.7 and 8.9.8 has

sonarqube-8.9.7.52159/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/spring-core-5.2.13.RELEASE.jar
sonarqube-8.9.8.54436/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/spring-core-5.2.13.RELEASE.jar

which caused our scanner to trigger an incident regarding the CVE.

UPDATE: SonarQube, SonarCloud, and Spring4Shell