Make sure to tell us:
We are upgrading from 7.9 to 9.9 and need to provide “official” edocumentation to evidence that 9.9 in NOT impacted by CVE-2022-42889?
Is there "official" sonarqube documentation that states version 9.9 is NOT impacted by CVE-2022-4288
There is no official documentation, although we have posted updates in this forum (which are “official”). We never used the vulnerable methods.
And, we actually removed the relevant dependencies anyways in SonarQube v9.8 before SonarQube v9.9 was released. Is this coming up on a scan you’re doing of the binaries, or just a box you need to tick off?
It’s getting flagged in a scan. We need vendor documentation stating its remediated in the version we are upgrading too (9.9).
And you’re sure that it’s SonarQube 9.9 LTS being scanned, not the intermediary SoanrQube 8.9 LTS you’re upgrading to? Any details you can provide from that scan, like where it’s finding the dependency, would be super helpful.
We don’t have anything in our documentation that speaks to specific CVEs. You’ll have to rely on statements from SonarSourcers such as:
It is the older version. We are in the process of upgrading and have a security requirement to provide documentation that attests the new version will remediate the vulnerability existing in the old (still current at the moment) version. Sorry for the confusion. I’ll present the documentation you have provided to our security team and cross my fingers. 
1 Like
Thanks! Now I understand a bit more.
SonarQube v9.9 does not even contain the dependency (we were never vulnerable, but we didn’t really need it and it made things easier) so I don’t expect it to be flagged at all if a scan is made of the new version.
Scans like this are inherently noisy – and there’s a cost-benefit analysis that has to be done (especially if we aren’t actually vulnerable) of whether to backport an upgrade to fix the noise… or focus on the stability of our LTS versions. We tend to choose the latter, and only fix “real” vulnerabilities on LTS versions.