Sonarqube community having critical security issues

  • which versions are you using - latest helm chart 8.7.1-community
    Here is the jfrog x-ray scan report to check security vulnerabilities of the images(sonarqube, curl and busybox) mentioned in the helm chart. We found several critical issues. It would be great if someone from your security team give a feedback about this.
    sonarqube-xray-report.zip (77.9 KB)

Hey there.

SonarQube v8.7 is an EOL version of SonarQube, and even SonarQube v8.9 LTS is considered EOL now that SonarQube v9.9 LTS has been released. The helm chart for SonarQube 9.9 has been published and I recommend targeting any security scans to that version.

Hello Colin
Thanks for your response. We have updated the image to 9.9.0-community. The number of vulnerable issues are significantly mitigated but still there are some high and critical ones. It’s hard to fit all the issues in the comment so we are attaching
sonar-security-scan-9.9.0-community.xlsx.zip (12.5 KB)
a zip file where you will find all the issues. Here let me put the critical one which got a CVE score of 9.8 from Jfrog xray.

Issue id CVES CVSS3 score Vulnerable Component Summary Fixed versions Package type Severity Published Provider Impacted Artifact Path Impact Path Artifact Scan Time References Description Vulnerable ComponentImpacted ArtifactDescription
XRAY-261687 CVE-2022-45047 9.8 gav://org.apache.sshd:sshd-common:2.8.0 Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. 2.9.2 maven Critical 2022-11-22 JFrog docker:/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube:9.9.0-community klstg-docker-local/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube/9.9.0-community/ docker:/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube:9.9.0-community
generic://sha256:87339cb3bcb2a3d039da0efa40fa4e567466f658802f478e2f2f7f8299691144/sha256__87339cb3bcb2a3d039da0efa40fa4e567466f658802f478e2f2f7f8299691144.tar.gz
generic://sha256:c6ea545cccc96fea4019ce1f94e1eb5c1d4a1e8e45b5b4c858b6d921f72e2b2c/sonar-scanner-engine-shaded-9.9.0.65466-all.jar
gav://org.apache.sshd:sshd-common:2.8.0
2023-02-14 CVE-2022-45047: Apache MINA SSHD: Java unsafe deserialization vulnerability Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. gav://org.apache.sshd:sshd-common:2.8.0docker:/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube:9.9.0-communityClass org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.

Hey there.

Specifically referring to CVE-2022-45047, I can confirm that SonarQube is not vulnerable. sshd is used by svnkit (for SVN integration) to use svn+ssh protocol as a client. In our context, server keys are not deserialized using the vulnerable class SimpleGeneratorHostKeyProvider.

We regularly check the dependencies of SonarQube and its components and make determinations whether or not a vulnerability actually exists (it’s good that we know about libraries with a CVE, but they don’t always mean there’s an exploitable vulnerability).

1 Like

Hello,

Do you have plans to upgrade the lib to version 2.9.2? There are no vulnerabilities in this version so far.

https://mvnrepository.com/artifact/org.apache.sshd/sshd-common

Thanks

Hey @Armando_Miani

As a matter of regularly upgrading dependencies, the dependency that uses sshd (svnkit) is being upgraded as a part of SonarQube 10.1. Based on the changelog, this means that sshd will be upgraded to 2.9.2.

We still do not think this dependency represents any actual vulnerability in SonarQube. It is not slated for a backport to 9.9 LTS at this time.

I see your point, but unfortunately we are unable to deploy in any vulnerability case. Thanks