Sonar-scanner-vsts v5.15.0 multiple CVEs detected

I am using sonar-scanner-vsts v5.15.0 from the Azure DevOps marketplace. Our internal security scanners have highlighted that are build agents running this scanner have security issues related to the following CVEs: CVE-2022-22950,CVE-2022-22970, CVE-2022-22971 detected in the cached sonar-securityjavafrontend-plugin.jar related to the presence of Spring Framework jars.

Is there a plan in place to update the plugin to remediate these issues?


I’ve unlisted your topic since you’re reporting a vulnerability. Our responsible disclosure policy asks that you email rather than making public posts.

What version of SonarQube are you using? Your version of the Azure scanner is out of date. The current version is 5.15.0. While that’s unrelated to what you’re reporting, you should nonetheless upgrade at your earliest convenience.


scanner 5.15.0 is the version we are running ( i had a typo). SonarQube is Enterprise Edition
Version 8.9.6 (build 50800)

The link on the marketplace lead me to this location. So, perhaps something should be placed on the marketplace that makes it more obvious to submit issues elsewhere.


Your version is past EOL. You should upgrade to either the latest version or the current LTS at your earliest convenience. Your upgrade path is:

8.9.6 → 9.9.2 → 10.2.1 (last step optional)

You may find these resources helpful:

If you have questions about upgrading, feel free to open a new thread for that here.

If your error persists after upgrade, please come back to us.

And FYI, I’m re-listing this topic.