Sonarqube 7.2.1 version- security question

sonarqube

(eli keler) #1

hi,
we starting to examine the sonarqube use in our organization (Bank).
we already have the 6.1 version and we want to upgrade it.
when we trying to insert the 7.2.1 version package to the bank network we got the following information from our security team -

  • Threat name: Exploit.CVE.JS.3486
  • File: sonarqube-7.2.1.zip\sonarqube-7.2.1\lib\common\hazelcast-3.8.6.jar\com\hazelcast\client\impl\protocol\DefaultMessageTaskFactoryProvider$228.class .
    we currently cannot insert it to ourorganization because security team blocking us.
    can you please share your thoughts about this issue?
    thanks!
    eli.

(G Ann Campbell) #2

Hi,

It’s not clear from your message what the problem is. Could you elaborate, please?

Thx,
Ann


(eli keler) #3

hi,
the problem is that i cannot insert this product version to my organization because the information security team are blocking me.
i want to know if anyone familiar with this issue and can elaborate on it and to know if it indeed really a security risk- any extra information to explain it to the information security team.
thanks!


(Tobias Gruetzmacher) #4

Hi,

AFAICS, SonarQube 7.2.1 is shipping this file:

http://search.maven.org/#search|ga|1|1%3A"37c3577a1df9aeccf34d9a8773b2763709f701fc"

Which is clean according to most virus scanners:

https://www.virustotal.com/#/file/1d66e29f04a05adebf7c5cf78b75876c02e4a7ddf9748003752a9be16f4c5558/detection

Doesn’t look like a threat to me, more like a false positive.

Best regards, Tobias


(Nicolas Bontoux) #5

Hi Eli,

To complement Tobias’ input, I believe one missing information here is the details of the actual vulnerability your security team claims to have detected. You’ve only shared Exploit.CVE.JS.3486 , however you should expect your security team to also provide a detailed description of that vulnerability, an external reference since it seems CVE related, and also a detailed explanation of how it seemingly impacts the binary you mentioned. Without that it will be hard to get any further help, which is why Ann asked to elaborate on the actual vulnerability.

Per Tobias input, with more details you cannot also try to determine whether the issue is legit or false-positive (note that hazelcast is open-source).