Our organisation are running the latest version of SonarQube Enterprise and it’s repeatedly being flagged during vulnerability scans for the following CVE:
CVE-2021-37136 and CVE-2021-37137
This relates to the use of netty, version 4.1.66, in this location:
./elasticsearch/modules/transport-netty4/netty-buffer-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-codec-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-codec-http-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-common-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-handler-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-resolver-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-transport-4.1.66.Final.jar
This was an issue for us when we were scanning SonarQube version 9.6 all the way through 9.7 and now 9.8.
Looking at the netty website, it seems that version 5 is now available, and there was a version 4.1.86 which was released on Dec 12 2022 which was probably too late to make it into SonarQube 9.8.
Will there be a newer version in the next SonarQube update?