SonarSource is pleased to inform you of the releases of SonarQube 8.9.6 LTS and SonarQube 9.2.4.
We have released 2 new SonarQube updates to eliminate confusion and avoid false positives in relation to Log4J that may arise from vulnerability scanning tools in regards to CVE-2021-45046, CVE-2021-44228 and CVE-2021-45105.
- The SonarQube Log4J test dependency is updated to 2.17. This dependency is not included in the SonarQube distribution and is not susceptible to these CVEs.
- The Elasticsearch component is updated to its latest bug fix version, 7.16.2, which updates the packaged Log4J dependency to 2.17.
Please create new posts on SonarQube, SonarCloud, and the Log4J vulnerability for any questions/concerns on the Log4J topic.
As usual, download is available at sonarqube.org.