The sonar-scanner-cli image started triggering a number of alerts in our container scans since it’s based on a pretty old version of Alpine which has a number of CVEs which will never be patched in that release. Looking at the history in GitHub - SonarSource/sonar-scanner-cli-docker: Docker image for SonarScanner CLI there appears to have been some attempt to switch the base image which was rolled back for undisclosed reasons (there’s reference to a private incident).
Is there any plan to update the version of Alpine or is a revised take on the base image script in-progress? I know this component has limited exposure but for those of us in high-compliance environments it would be nice if we could get those CVEs patched.
thanks for raising awareness on this. We do actually plan to work on this in one of the next sprints. Specifically, we would like to align the sonarqube and sonar-scanner docker images and use the same base image (eclipse-temurin).
I didn’t have access to the Jira ticket.
Is there some news about this subject ?
The current sonar-scanner-cli docker images have not been built for 6 months so the OS images contains CVE.
Any plans when this will be done? We are working in a restrictive environment (patient data) and need to validate all our tools, also in regard to CVEs. Therefor, it would be greatly appreciated if this issue could be resolved.
An updated base image should arrive early next week. I will update this thread.
Thank you for your patience, and I apologize for the stale thread. Our priority list needed a clean-up, and we tested some scenarios to deliver the right solution.
Thanks, @John_Klingler, for replying to the thread. We reverted the changes, so the vulnerabilities are still present, and we will work on releasing the fixes in a safer manner. I will update you as soon as we have the base image fixed.
We have released new versions of the Scanner docker CLI.
The versioning starts with 10.0.XXX now and we encourage use the fix versions to avoid unwanted changes.
The vulnerabilities what we could identified should be fixed now please let us know if it is working for you.