Sonarqube 9.7 has tomcat 9.0.62 embedded, but CVE-2022-29885 affects tomcat 9.0.62

SonarQube Server / Community Build
1

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    Sonarqube Enterprise 9.7.1

  • what are you trying to achieve
    The latest sonarqube is not affected by CVE-2022-29885

  • what have you tried so far to achieve this

Updated sonarqube to the latest version and changed the tomcat dependency version in the dependency-license.json file to 9.0.68.

Iā€™m not sure if changing the tomcat version will affect sonarqube functionality?

2

Hey there.

You should not change the Tomcat version.

CVE-2022-29885 was purely a documentation issue (here is the commit that fixed it in Tomcat) ā€“ and, SonarQube does not even use this functionality to begin with.

1 Like
3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.