Hi ,Have a Good Day , we are using the sonarqube:7.9.2 image from hub.Docker.com in our Env
We found some vulnerabilities while scanning the image through Atrifactory X-ray scanner
At the same time, the current version of the LTS is 7.9.4. Versions 7.9.3 and 7.9.4 both addressed vulnerabilities. It’s not clear to me whether this was among them, but you might nonetheless want to upgrade.
Thanks for the report. We do not consider ourselves at risk here:
We’re not using any of the affected functions.
Prototype pollution, although a real threat, is much harder to exploit on the frontend than it is on the backend. For this to affect us, someone would need to be able to tamper with the payloads received from the SQ backend. Given our architecture, that implies a man-in-the-middle attack, which in the end is out of our scope.
We very much appreciate your report and all reports we receive from users. More eyes is always better. At the same time, we do monitor published CVE’s ourselves, as well as hiring independent security auditors to test our software on a regular basis. We’re careful, though, to not jump too quickly on publishing releases just to update dependencies, because dependency vulnerabilities aren’t always relevant to us and doing so would only generate noise for our users.