Possible to upgrade ElasticSearch version inside SonarQube Developer Edition 10.3.0.82913

SonarQube Server / Community Build
1

Our instance of SonarQube was flagged as having an out-of-date Elasticsearch version (8.11.0) that contains security vulnerabilities. We must upgrade the ElasticSearch version (8.11.0) to (8.11.1). Due to external factors related to internal automation software, we cannot upgrade the SonarQube version at this time. Upgrade only Elasticsearch to the 8.11.1 version inside Sonarqube is possible?

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Version: SonarQube Developer Edition 10.3.0.82913
  • how is SonarQube deployed: zip, Docker, Helm
    SonarQube deployed: zip
  • what are you trying to achieve
    Our instance of SonarQube was flagged as having an out-of-date Elasticsearch version (8.11.0) that contains security vulnerabilities. We must upgrade the ElasticSearch version (8.11.0) to (8.11.1). Due to external factors related to internal automation software, we cannot upgrade the SonarQube version at this time. Upgrade only Elasticsearch to the 8.11.1 version inside Sonarqube is possible?
  • what have you tried so far to achieve this

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!

2

Hey there.

It’s not possible to update the embedded Elasticsearch. SonarQube v10.3 is an EOL, non-active version of SonarQube.

Even SonarQube v10.5 still uses v8.11.0. In SonarQube v10.6, this will be bumped to v8.13.4.

3

Is it Possible to integrate the Sonarqube application with External Elasticsearch? If we have our instance of Elasticsearch (8.11.1), can we integrate it with SonarQube? Is this supported?
If not can you please help me understand the reason?

4

SonarQube simply doesn’t integrate with external elastic search servers. It’s not architected to do so, and there’s no connection available to “plug it in,” so to speak.

We currently have no reason to believe we’re vulnerable to any CVEs reported against Elastisearch 8.11, and will update the embedded Elasticsearch as we routinely do in SonarQube 10.6.