Responding to an alleged zero-day vulnerability in SonarQube

SonarSource is aware of a claim of having obtained access to some companies’ source code using SonarQube, and we are in contact with the relevant companies.

From our investigations so far, we have no reason to believe that this is due to a zero-day vulnerability. We are continuing to monitor and investigate.

We take this as an opportunity to remind SonarQube users to verify their project access permissions, to use strong user authentication methods, and to adopt the latest supported versions of SonarQube, which take proactive steps to help users keep their code secure.