Question about Docker image's security policy

Must-share information (formatted with Markdown):

• which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
  sonarqube:10.2.1-community
• how is SonarQube deployed: zip, Docker, Helm
  Docker
• what are you trying to achieve
  I’d like to know Docker image’s security policy.
• what have you tried so far to achieve this

Hi there,

I’m working with sonarqube docker image and I’d like to know about the docker image’s vulnerability management policy.
sonarqube docker image contains multiple vulnerabilities. It can be seen on dockerhub like here.

https://hub.docker.com/layers/library/sonarqube/10.2.1-community/images/sha256-1813e85b6bba2fb61ba60be2c4d30ba8e8630850de7dda2765fcc5efe02e7634?context=explore

I must evaluate the security risks to these existing vulnerabilities, but I’m not sure they are actually vunlerable (exploitable) as sonarqube itself.
So I’d like to know your approach to vulnerabilities delived from dependencies.
Of cource, it is difficult to eliminate all vulnerabiities but I guess some policy to reduce security risks.

If you know (have) any document the policy described, please let me share.

Hey there.

We patch exploitable vulnerabilities on the most recent LTS version (currently v9.9.3) and the latest versions (currently v10.2) of SonarQube. No other versions receive updates. You’ll find far fewer vulnerabilities on the latest version, but that’s almost entirely because we updated to the latest version of dependencies out of habit.

Specific issues can be enquired about by following our responsible disclosure policy which asks that you email security@sonarsource.com rather than making public posts.