Error observed: Sonar reports as security vulnerability that javax.websocket.javax.websocket-api does not have. The vulnerability reported is:
Filename: javax.websocket-api-1.0.jar | Reference: CVE-2020-11050 | CVSS Score: 8.1 | Category: CWE-295 | In Java-WebSocket less than or equal to 1.4.1, there is an Improper Validation of Certificate with Host Mismatch where WebSocketClient does not perform SSL hostname validation. This has been patched in 1.5.0.
The vulnerability reported refers to org.java-websocket.ava-WebSocket.
Hello Xavier
and welcome to SonarSource community forum!
Just to make certain, are you describing a case where SonarQube is wrongly reporting a vulnerability on a third party library on a project you scanned?
If the case, it is worth mentioning that SonarSource does not do any SCA (Software Composition Analysis), there are 3rd party plugins for the aggregation in SonarQube of the results of SCA tools though.
Do you have such plugin installed with your SonarQube?
You may want to report the false positive to the editor of the SCA analyzer tool then.