hi,
we starting to examine the sonarqube use in our organization (Bank).
we already have the 6.1 version and we want to upgrade it.
when we trying to insert the 7.2.1 version package to the bank network we got the following information from our security team -
Threat name: Exploit.CVE.JS.3486
File: sonarqube-7.2.1.zip\sonarqube-7.2.1\lib\common\hazelcast-3.8.6.jar\com\hazelcast\client\impl\protocol\DefaultMessageTaskFactoryProvider$228.class .
we currently cannot insert it to ourorganization because security team blocking us.
can you please share your thoughts about this issue?
thanks!
eli.
hi,
the problem is that i cannot insert this product version to my organization because the information security team are blocking me.
i want to know if anyone familiar with this issue and can elaborate on it and to know if it indeed really a security risk- any extra information to explain it to the information security team.
thanks!
To complement Tobias’ input, I believe one missing information here is the details of the actual vulnerability your security team claims to have detected. You’ve only shared Exploit.CVE.JS.3486 , however you should expect your security team to also provide a detailed description of that vulnerability, an external reference since it seems CVE related, and also a detailed explanation of how it seemingly impacts the binary you mentioned. Without that it will be hard to get any further help, which is why Ann asked to elaborate on the actual vulnerability.
Per Tobias input, with more details you cannot also try to determine whether the issue is legit or false-positive (note that hazelcast is open-source).