Must-share information (formatted with Markdown):
which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
Developer Edition 9.2.4
what are you trying to achieve
We have deployed Sonarqube in AWS ec2 instance. Wanted to know this version fo Sonar is effected or not with Spring Framwork vulnerability
If it is impacted please guide us with Recommendations
Hey there.
SonarQube is not impacted.
Even for 9.3 developer edition, I assume SQ is not impacted. Please correct me if I am wrong.
I would also like to see an announcement from Sonarqube - as done with Log4Shell SonarQube, SonarCloud, and the Log4J vulnerability - #142 by jf2009 - about if Sonarqube 8.9.x LTS, 9.x are affected or not.
SonarQube 8.9.7 and 8.9.8 has
sonarqube-8.9.7.52159/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/spring-core-5.2.13.RELEASE.jar
sonarqube-8.9.8.54436/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/spring-core-5.2.13.RELEASE.jar
which caused our scanner to trigger an incident regarding the CVE.