Is SonarQube getting updated netty libraries (> 4.1.66) with the next release?

Our organisation are running the latest version of SonarQube Enterprise and it’s repeatedly being flagged during vulnerability scans for the following CVE:

CVE-2021-37136 and CVE-2021-37137

This relates to the use of netty, version 4.1.66, in this location:
./elasticsearch/modules/transport-netty4/netty-buffer-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-codec-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-codec-http-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-common-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-handler-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-resolver-4.1.66.Final.jar
./elasticsearch/modules/transport-netty4/netty-transport-4.1.66.Final.jar

This was an issue for us when we were scanning SonarQube version 9.6 all the way through 9.7 and now 9.8.

Looking at the netty website, it seems that version 5 is now available, and there was a version 4.1.86 which was released on Dec 12 2022 which was probably too late to make it into SonarQube 9.8.

Will there be a newer version in the next SonarQube update?

Hey there.

SonarQube bundles a version of Elasticsearch (v7.17.8) which bundles this version of Netty.

SonarQube is not vulnerable to either CVE-2021-37136 or CVE-2021-37137, as Elasticsearch itself doesn’t use the functionality that these vulnerabilities relate to (the Bzip2Decoder or SnappyFrameDecoder).

There are no plans to upgrade the version of Elasticsearch to a new major version until SonarQube v10.x.

OK. Thanks very much for the information.

It should be possible to exclude the bundled version of netty and rebuild with a patched release, like 4.1.87, without changing all the contracts. This release patch is specifically to resolve the relevant CVEs:

https://netty.io/news/2022/12/12/4-1-86-Final.html

Can we at least get a patch release on 9.X with a hotfix?