Is SonarQube getting updated netty libraries (> 4.1.66) with the next release?

Colin · January 10, 2023, 2:30pm

Hey there.

SonarQube bundles a version of Elasticsearch (v7.17.8) which bundles this version of Netty.

SonarQube is not vulnerable to either CVE-2021-37136 or CVE-2021-37137, as Elasticsearch itself doesn’t use the functionality that these vulnerabilities relate to (the Bzip2Decoder or SnappyFrameDecoder).

There are no plans to upgrade the version of Elasticsearch to a new major version until SonarQube v10.x.

Topic		Replies	Views
Trivy Scans of SonarQube 9.8.0 Docker Image Show Several Vulnerabilities SonarQube Server / Community Build	3	2363	February 7, 2023
Vulnerabilities in sonarQube version 9.6.1.59531 SonarQube Server / Community Build java , sonarqube	1	749	October 17, 2022
SonarQube Community Build 25.5.0.107428 released Releases	3	1196	May 20, 2025
SonarQube 8.9.6 LTS and 9.2.4 released Releases sonarqube	2	8511	December 21, 2021
SonarQube 8.9.5 LTS and 9.2.3 released Releases sonarqube	2	4047	December 16, 2021

Is SonarQube getting updated netty libraries (> 4.1.66) with the next release?

Related topics