Is there "official" sonarqube documentation that states version 9.9 is NOT impacted by CVE-2022-4288

And you’re sure that it’s SonarQube 9.9 LTS being scanned, not the intermediary SoanrQube 8.9 LTS you’re upgrading to? Any details you can provide from that scan, like where it’s finding the dependency, would be super helpful.

We don’t have anything in our documentation that speaks to specific CVEs. You’ll have to rely on statements from SonarSourcers such as: