I would also like to see an announcement from Sonarqube - as done with Log4Shell SonarQube, SonarCloud, and the Log4J vulnerability - #142 by jf2009 - about if Sonarqube 8.9.x LTS, 9.x are affected or not.
SonarQube 8.9.7 and 8.9.8 has
sonarqube-8.9.7.52159/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/spring-core-5.2.13.RELEASE.jar
sonarqube-8.9.8.54436/data/web/deploy/plugins/securityjavafrontend/META-INF/lib/spring-core-5.2.13.RELEASE.jar
which caused our scanner to trigger an incident regarding the CVE.