Lodash vulnerabilities

SonarQube Server / Community Build
1

Hi ,Have a Good Day , we are using the sonarqube:7.9.2 image from hub.Docker.com in our Env
We found some vulnerabilities while scanning the image through Atrifactory X-ray scanner

vulnerabilities list below

Prototype Pollution

  • Vulnerable module: lodash
  • Introduced through: lodash@3.3.0

Detailed paths

3

Hi,

Welcome to the community & thanks for reporting this!

I’ve referred this internally and de-listed the topic, since a public post here doesn’t follow our Responsible Vulnerability Disclosure policy.

At the same time, the current version of the LTS is 7.9.4. Versions 7.9.3 and 7.9.4 both addressed vulnerabilities. It’s not clear to me whether this was among them, but you might nonetheless want to upgrade.

We should get back to you soon on this.

 
Thx,
Ann

8

Hi @Anil_Kumar,

Thanks for the report. We do not consider ourselves at risk here:

  • We’re not using any of the affected functions.
  • Prototype pollution, although a real threat, is much harder to exploit on the frontend than it is on the backend. For this to affect us, someone would need to be able to tamper with the payloads received from the SQ backend. Given our architecture, that implies a man-in-the-middle attack, which in the end is out of our scope.

We very much appreciate your report and all reports we receive from users. More eyes is always better. At the same time, we do monitor published CVE’s ourselves, as well as hiring independent security auditors to test our software on a regular basis. We’re careful, though, to not jump too quickly on publishing releases just to update dependencies, because dependency vulnerabilities aren’t always relevant to us and doing so would only generate noise for our users.

1 Like
10

Hi,

Thanks again for your report. For the record, I’ve re-listed this now that the question is resolved.

 
Ann