SonarQube 9.5 release notes reference security fixes:
SonarQube 8.9.9 release notes reference security fixes:
For all these issues, the description is only “Details will be provided later.”
All 4 issues were resolved over a month ago. Please can they be updated with details ASAP. Otherwise, how can SQ admins decide whether or not they are impacted and need to upgrade sooner rather than later?
Or at least share a severity, ideally a CVE score. With minor security issues we may wait until 9.6, a critical issue would mean “patch today”.
Thanks for the question. It’s very valid and it prompted me to ping the Product Manager to make a public statement on his policy around this. And that… prompted him to re-examine the policy.
Hopefully we’ll have something here soon.
Any updates on this? Should we patch our environments asap?
Sorry for the continued delay for a canonical answer. Hopefully we’ll have one soon for you.
In general, it’s best to stay on either the latest patch of the LTS or the latest release.
In the long run, VEX is the way to go… a machine-readable format for exchange of exploitability information.
See also What’s a VEX? What isn’t a VEX? for a good independent take.
I say “long run” because to really make VEX work for communicating to thousands of customers, there need to be a transport mechanism. But that is coming…
OWASP CycloneDX Launches SBOM Exchange API, Standardizing SBOM Distribution
It will come faster if more people jump in and help! =)
Sorry for the delay. We added to these tickets an estimation of the severity (revised CVSS) to help you decide if you have to upgrade immediately or not.
We’ll provide more details about the fixed vulnerabilities 90 days after the release so that users have time to upgrade.
You can expect a more formal public statement about this policy soon.