SonarSource is pleased to inform you of the releases of SonarQube 8.9.5 LTS and SonarQube 9.2.3.
Given the newly reported CVE-2021-45046 about Log4J, and out of an abundance of caution, we have released 2 new SonarQube updates:
- The SonarQube Log4J test dependency is updated to 2.16. This dependency is not used outside of unit testing, nor is it included in the SonarQube distribution. It is not susceptible to the CVEs being reported. Nonetheless, we have upgraded it to eliminate confusion.
- The Elasticsearch component is updated to its latest bug fix version, 7.16.1, which removes the potentially problematic components of Log4J. Additionally, it should be noted that SonarQube programmatically adds the
log4j2.formatMsgNoLookups=trueJVM property on starting up Elasticsearch. More explanations from Elasticsearch here.
Please create new posts on SonarQube, SonarCloud, and the Log4J vulnerability for any questions/concerns on the Log4J topic.
As usual, download is available at sonarqube.org.