Responding to an alleged zero-day vulnerability in SonarQube

SonarSource is aware of a claim of having obtained access to some companies’ source code using SonarQube, and we are in contact with the relevant companies.

From our investigations so far, we have no reason to believe that this is due to a zero-day vulnerability. We are continuing to monitor and investigate.

We take this as an opportunity to remind SonarQube users to verify their project access permissions, to use strong user authentication methods, and to adopt the latest supported versions of SonarQube, which take proactive steps to help users keep their code secure.

 
Ann

2 Likes

Hi Ann,

I saw this alleged zero-day in the news this week, and it was not clear if there was actually a vulnerability identified, and whether the attacks against the alleged vulnerability were still in progress. Can we get an update on this one? Thanks.

Hi @ccharles,

Welcome to the community!

We didn’t find there to be substance to this claim. That said, you should always be on either the Latest version or the LTS to benefit from the most recent bug fixes and vulnerability patches (and features!).

 
HTH,
Ann