Is sonarqube affected by Spring Framework Remote Code Execution Vulnerability

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    sonarqube Enterprise Edition Version 8.9.7
  • what are you trying to achieve
    we deploy sonarqube on ALiCLoud, Today we got security warning for Spring Framework Remote Code Execution Vulnerability. please see the screenshot.
  • what have you tried so far to achieve this
    update to the lts version but still face the problem.

Hey there.

SonarQube is not impacted.

Hi Colin,

Thanks for your reply. So It means that I can ignore the alert from ALi public cloud security center, right? Below is the details of the alter:

Impact description

Software:

spring 5.2.13.RELEASE

Process ID.:

1964039

Path:

/opt/sonarqube/data/web/deploy/plugins/securityjavafrontend/sonar-security-java-frontend-plugin-8.9.0.11439.jar(META-INF/lib/spring-core-5.2.13.RELEASE.jar)

Hit:

spring runtimeEnvVersion more than equals 1.9.0、spring version less than equals 5.2.19

Container Name:

k8s_sonarqube_sonarqube-test-665778996-nwqhx_default_63d15144-32b8-4098-8619-3a5104ad6680_0

Image Name:

shdr-applications-registry-vpc.cn-shanghai.cr.aliyuncs.com/shdr-cse/sonarqube@sha256:26502b922ed3ecc617112bf21a7af6e9b53dbc3be77a1a20d2a0e3e722441794