Sonar-scanner-cli Docker image vulnerabilities?

The sonar-scanner-cli image started triggering a number of alerts in our container scans since it’s based on a pretty old version of Alpine which has a number of CVEs which will never be patched in that release. Looking at the history in GitHub - SonarSource/sonar-scanner-cli-docker: Docker image for SonarScanner CLI there appears to have been some attempt to switch the base image which was rolled back for undisclosed reasons (there’s reference to a private incident).

Is there any plan to update the version of Alpine or is a revised take on the base image script in-progress? I know this component has limited exposure but for those of us in high-compliance environments it would be nice if we could get those CVEs patched.

1 Like

Dear @acdha,

thanks for raising awareness on this. We do actually plan to work on this in one of the next sprints. Specifically, we would like to align the sonarqube and sonar-scanner docker images and use the same base image (eclipse-temurin).

Hi,

I didn’t have access to the Jira ticket.
Is there some news about this subject ?
The current sonar-scanner-cli docker images have not been built for 6 months so the OS images contains CVE.

1 Like

Any plans when this will be done? We are working in a restrictive environment (patient data) and need to validate all our tools, also in regard to CVEs. Therefor, it would be greatly appreciated if this issue could be resolved.

Hi all,

Thanks for your patience. We are getting organized based on your and other feedback we received. We’ll post an update when the plan is finalized.

I didn’t have access to the Jira ticket.

@GREGORY_BOUE You’re right. I removed it from my previous answer as it is not publicly accessible.

1 Like

Hi @acdha

An updated base image should arrive early next week. I will update this thread.

Thank you for your patience, and I apologize for the stale thread. Our priority list needed a clean-up, and we tested some scenarios to deliver the right solution.

Thanks
Csaba

1 Like

Hi @acdha,

We have released the refreshed images. The new base image version is alpine:3.19. Let us know if we can help with anything else.

Thanks
Csaba

They appear to be broken.

1 Like

Thanks, @John_Klingler, for replying to the thread. We reverted the changes, so the vulnerabilities are still present, and we will work on releasing the fixes in a safer manner. I will update you as soon as we have the base image fixed.

1 Like

Hi All ,

We have released new versions of the Scanner docker CLI.
The versioning starts with 10.0.XXX now and we encourage use the fix versions to avoid unwanted changes.
The vulnerabilities what we could identified should be fixed now please let us know if it is working for you.

Thanks
Csaba

Thanks, that’s a much cleaner container now!