Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  sonarqube Enterprise Edition Version 8.9.7
• what are you trying to achieve
  we deploy sonarqube on ALiCLoud, Today we got security warning for Spring Framework Remote Code Execution Vulnerability. please see the screenshot.
• what have you tried so far to achieve this
  update to the lts version but still face the problem.

sonarqube2344×1426 427 KB

Hey there.

SonarQube is not impacted.

Hi Colin，

Thanks for your reply. So It means that I can ignore the alert from ALi public cloud security center, right? Below is the details of the alter:

Impact description

Software：

spring 5.2.13.RELEASE

Process ID.：

1964039

Path：

/opt/sonarqube/data/web/deploy/plugins/securityjavafrontend/sonar-security-java-frontend-plugin-8.9.0.11439.jar(META-INF/lib/spring-core-5.2.13.RELEASE.jar)

Hit：

spring runtimeEnvVersion more than equals 1.9.0、spring version less than equals 5.2.19

Container Name：

k8s_sonarqube_sonarqube-test-665778996-nwqhx_default_63d15144-32b8-4098-8619-3a5104ad6680_0

Image Name：

shdr-applications-registry-vpc.cn-shanghai.cr.aliyuncs.com/shdr-cse/sonarqube@sha256:26502b922ed3ecc617112bf21a7af6e9b53dbc3be77a1a20d2a0e3e722441794