Security scan reported vulnerablity /opt/sonarqube/elasticsearch/lib/log4j-core-2.11.1.jar

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) :
    Community Edition Version 7.9.3
  • how is SonarQube deployed: zip, Docker, Helm : running on Ec2 machine (Zip)
  • what are you trying to achieve : The security scan should report green
  • what have you tried so far to achieve this : no action

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!:


Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

7.9.3 → 8.9.10 → 9.9

You may find the Upgrade Guide and the LTS-to-LTS Upgrade Notes for 7.9 to 8.9, as well as the LTS to LTS release upgrade notes for 8.9 to 9.9 helpful. If you have questions about upgrading, feel free to open a new thread for that here.

If your error persists after upgrade, please come back to us.