Sonar scanner CLI vulnerability

fed · November 11, 2022, 1:51pm

Hello, it seems the Scanner CLI has a vulnerability in one of the packages it uses.

Our Twistlock scan detects the following:
package com.squareup.okhttp3_okhttp_3.14.2 - fixed in 4.9.2

I don’t see a direct reference to that package in the source, do you know how it could be fixed?

Thanks

Colin · November 11, 2022, 2:21pm

Hey there.

Take a look at this thread:

Topic		Replies	Views
Sonar-scanner-cli and vulnerable okhttp3 dependency SonarQube Server / Community Build scanner , cve	2	1250	November 1, 2022
Sonar-Scanner vulnerability - embedded JVM SonarQube Server / Community Build scanner	1	597	April 8, 2022
Okhttp3 connection leak warning even in sonar-scanner-api:2.15.0.2182 SonarQube Cloud scanner , sonarqube-cloud	3	1573	November 14, 2020
SonarQube 8.9 LTS compatibility with sonar-scanner-cli Version 4.7.0.2747? SonarQube Server / Community Build sonarqube , scanner	1	1104	November 2, 2022
Sonarqube-gradle-plugin fails when used with IBM JDK SonarQube Server / Community Build gradle , scanner	1	1751	November 14, 2018