- which versions are you using - latest helm chart 8.7.1-community
Here is the jfrog x-ray scan report to check security vulnerabilities of the images(sonarqube, curl and busybox) mentioned in the helm chart. We found several critical issues. It would be great if someone from your security team give a feedback about this.
sonarqube-xray-report.zip (77.9 KB)
Hey there.
SonarQube v8.7 is an EOL version of SonarQube, and even SonarQube v8.9 LTS is considered EOL now that SonarQube v9.9 LTS has been released. The helm chart for SonarQube 9.9 has been published and I recommend targeting any security scans to that version.
Hello Colin
Thanks for your response. We have updated the image to 9.9.0-community. The number of vulnerable issues are significantly mitigated but still there are some high and critical ones. It’s hard to fit all the issues in the comment so we are attaching
sonar-security-scan-9.9.0-community.xlsx.zip (12.5 KB)
a zip file where you will find all the issues. Here let me put the critical one which got a CVE score of 9.8 from Jfrog xray.
Issue id | CVES | CVSS3 score | Vulnerable Component | Summary | Fixed versions | Package type | Severity | Published | Provider | Impacted Artifact | Path | Impact Path | Artifact Scan Time | References | Description | Vulnerable ComponentImpacted ArtifactDescription |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
XRAY-261687 | CVE-2022-45047 | 9.8 | gav://org.apache.sshd:sshd-common:2.8.0 | Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. | 2.9.2 | maven | Critical | 2022-11-22 | JFrog | docker:/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube:9.9.0-community | klstg-docker-local/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube/9.9.0-community/ | docker:/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube:9.9.0-community generic://sha256:87339cb3bcb2a3d039da0efa40fa4e567466f658802f478e2f2f7f8299691144/sha256__87339cb3bcb2a3d039da0efa40fa4e567466f658802f478e2f2f7f8299691144.tar.gz generic://sha256:c6ea545cccc96fea4019ce1f94e1eb5c1d4a1e8e45b5b4c858b6d921f72e2b2c/sonar-scanner-engine-shaded-9.9.0.65466-all.jar gav://org.apache.sshd:sshd-common:2.8.0 |
2023-02-14 | CVE-2022-45047: Apache MINA SSHD: Java unsafe deserialization vulnerability | Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. | gav://org.apache.sshd:sshd-common:2.8.0docker:/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube:9.9.0-communityClass org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. |
Hey there.
Specifically referring to CVE-2022-45047
, I can confirm that SonarQube is not vulnerable. sshd
is used by svnkit (for SVN integration) to use svn+ssh protocol as a client. In our context, server keys are not deserialized using the vulnerable class SimpleGeneratorHostKeyProvider.
We regularly check the dependencies of SonarQube and its components and make determinations whether or not a vulnerability actually exists (it’s good that we know about libraries with a CVE, but they don’t always mean there’s an exploitable vulnerability).
Hello,
Do you have plans to upgrade the lib to version 2.9.2? There are no vulnerabilities in this version so far.
https://mvnrepository.com/artifact/org.apache.sshd/sshd-common
Thanks
Hey @Armando_Miani
As a matter of regularly upgrading dependencies, the dependency that uses sshd (svnkit) is being upgraded as a part of SonarQube 10.1. Based on the changelog, this means that sshd will be upgraded to 2.9.2.
We still do not think this dependency represents any actual vulnerability in SonarQube. It is not slated for a backport to 9.9 LTS at this time.
I see your point, but unfortunately we are unable to deploy in any vulnerability case. Thanks