Sonar-scanner-cli and vulnerable okhttp3 dependency

pravorskyi · October 25, 2022, 3:04pm

Hello! We found that latest sonar-scanner-cli release (specifically, sonar-scanner-api) depends on com.squareup.okhttp3:3.14.2 which seems to have a vulnerability (reported as PRISMA-2022-0239).

Details: Exception for bad header can leak an Authorization secret · Issue #6738 · square/okhttp · GitHub

According to these comments, there are no plans to backport the fix to the com.squareup.okhttp3 branch of 3.x, and it is recommended to upgrade to 4.x.

Is sonar-scanner-cli affected by this vulnerability?

Is there a plan to switch to com.squareup.okhttp:4.x?

Thanks in advance.

leo.geoffroy · November 1, 2022, 10:10am

Hello @pravorskyi,
Welcome to the community and thank you to bringing this to our attention!

After investigation, we consider ourselves not vulnerable as we encode in base64 the authorization header, hence avoiding passing illegal characters to the request.

We however plan to upgrade to okhttp4 in the next versions to keep up to date.

system · November 8, 2022, 10:10am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.