Java 11 and Java 17 in Sonarqube VM

DEV: Sonarqube Enterprise 2025.1.1 LTA
PROD: Sonarqube Enterprise 9.9.8 LTA

Infosec has flagged my VM hosting SonarQube, citing a vulnerability in Java 11.0.25 (OpenJDK). I recall that SonarQube runs on Java 17, and upon checking my VM, I confirmed that Java 17 is indeed being used for SonarQube.

Is there a specific reason why Java 11 is installed and actively utilized by SonarQube on my VM? I’m considering removing Java 11 but couldn’t find an official RPM package for OpenJDK 11.0.26 in Red Hat—perhaps it’s no longer available. What are your thoughts on this?

If it helps, the VM used to host old versions of sonar if I remember it right as old as 8.5 to 8.9.

Does the 9.9.8 LTA and 2025.1.1 use Java 11 for your scanners?

For SQ 2025.1 LTA server you can use JDK 17 or 21 (10.x required JDK 17).

Depending on your environment, auto-provisioning for the clients is available, which still require some Java version installed on your SQ client (build agent).
If auto-provisioning is not supported, the client should have JDK 17 installed according to the linked docs.

Am I correct that as long as the Java path for Sonarqube is set to JDK 17 then the previous JDK 11 installed can already be removed?

SonarQube Server 9.9.8 doesn’t even run on Java 11, it requires Java 17. I think it’s safe to remove Java 11.