I was wondering if and when patches will be available?
I would have asked this through some kind of private channel, but Sonar does not provide any support not can security contacts be found anywhere (which is quite a bad security posture for an organisation developing a SAST, tbh).
we are aware of this report and are currently evaluating the impact of this finding.
in regards of your other question: we have a responsible disclosure guide here, which would be the correct way to report this finding.
I have unlisted your post until we are done with the evaluation. after that i will relist this thread with a update message
Thanks. I failed to check the well-known location, and a community post for your responsible disclosure guide is basically unfindable through Google. I would really suggest to also include a link somewhere on your website, like on Contact | SonarSource as that is where people will be looking if they want ot contact you regarding something.