Dear .NET users,
We have discovered a vulnerability in the recently published scanner for .NET versions 9.2 and 9.2.1. This has been scored with a CVSS of 6.1.
Today, we published version 10 of the scanner with some modifications to strengthen its security. We urge users to upgrade to version 10 as soon as possible.
We will deprecate versions 9.2 and 9.2.1 on Nuget this coming Monday.
As for the content of this release, it brings two changes:
- If you use the local trust store to keep your certificate with the new
sonar.scanner.truststorePathandsonar.scanner.truststorePasswordproperties, you will need to pass thesonar.scanner.truststorePasswordproperty in the end step as well as in the begin step.
Here is how you would call the scanner in this version with custom certificates:
dotnet sonarscanner begin /k:"project-key" /d:sonar.token="<token>" /d:sonar.host.url="<YourSonarQubeUrl>" /d:sonar.scanner.truststorePath=β<path to the trustore>β /d:sonar.scanner.truststorePassword=β<YourPassword>β
dotnet build <path to project file or .sln file> --no-incremental
dotnet sonarscanner end /d:sonar.token="<token>" /d:sonar.scanner.truststorePassword=β<YourPassword>β
- The scanner for .NET will now automatically find and analyze the following languages by default:
- Python
- Docker
- Go
- PHP
- Terraform
- CloudFormation
Because analysis using 10.0 will include additional language files, you might see an increase in your LOC consumption. If you wish to reduce this, you have two options:
- You can use the
sonar.exclusionsparameter to exclude certain files or directories from the analysis - You can set the
sonar.scanAllparameter to βfalseβ to disable the automatic discovery of languages.
In accordance with our responsible disclosure policy, we will not publish the details of the vulnerability for 90 days.
Please let us know if you have any feedback when using this version!
Denis