I am using sonar-scanner-vsts v5.15.0 from the Azure DevOps marketplace. Our internal security scanners have highlighted that are build agents running this scanner have security issues related to the following CVEs: CVE-2022-22950,CVE-2022-22970, CVE-2022-22971 detected in the cached sonar-securityjavafrontend-plugin.jar related to the presence of Spring Framework jars.
Is there a plan in place to update the plugin to remediate these issues?
What version of SonarQube are you using? Your version of the Azure scanner is out of date. The current version is 5.15.0. While that’s unrelated to what you’re reporting, you should nonetheless upgrade at your earliest convenience.
scanner 5.15.0 is the version we are running ( i had a typo). SonarQube is Enterprise Edition
Version 8.9.6 (build 50800)
The link on the marketplace lead me to this location. So, perhaps something should be placed on the marketplace that makes it more obvious to submit issues elsewhere.