Is SonarQube getting updated netty libraries (> 4.1.66) with the next release?

Our organisation are running the latest version of SonarQube Enterprise and it’s repeatedly being flagged during vulnerability scans for the following CVE:

CVE-2021-37136 and CVE-2021-37137

This relates to the use of netty, version 4.1.66, in this location:

This was an issue for us when we were scanning SonarQube version 9.6 all the way through 9.7 and now 9.8.

Looking at the netty website, it seems that version 5 is now available, and there was a version 4.1.86 which was released on Dec 12 2022 which was probably too late to make it into SonarQube 9.8.

Will there be a newer version in the next SonarQube update?

Hey there.

SonarQube bundles a version of Elasticsearch (v7.17.8) which bundles this version of Netty.

SonarQube is not vulnerable to either CVE-2021-37136 or CVE-2021-37137, as Elasticsearch itself doesn’t use the functionality that these vulnerabilities relate to (the Bzip2Decoder or SnappyFrameDecoder).

There are no plans to upgrade the version of Elasticsearch to a new major version until SonarQube v10.x.

OK. Thanks very much for the information.

It should be possible to exclude the bundled version of netty and rebuild with a patched release, like 4.1.87, without changing all the contracts. This release patch is specifically to resolve the relevant CVEs:

Can we at least get a patch release on 9.X with a hotfix?