- which versions are you using - latest helm chart 8.7.1-community
Here is the jfrog x-ray scan report to check security vulnerabilities of the images(sonarqube, curl and busybox) mentioned in the helm chart. We found several critical issues. It would be great if someone from your security team give a feedback about this.
sonarqube-xray-report.zip (77.9 KB)
Hey there.
SonarQube v8.7 is an EOL version of SonarQube, and even SonarQube v8.9 LTS is considered EOL now that SonarQube v9.9 LTS has been released. The helm chart for SonarQube 9.9 has been published and I recommend targeting any security scans to that version.
Hello Colin
Thanks for your response. We have updated the image to 9.9.0-community. The number of vulnerable issues are significantly mitigated but still there are some high and critical ones. It’s hard to fit all the issues in the comment so we are attaching
sonar-security-scan-9.9.0-community.xlsx.zip (12.5 KB)
a zip file where you will find all the issues. Here let me put the critical one which got a CVE score of 9.8 from Jfrog xray.
Issue id | CVES | CVSS3 score | Vulnerable Component | Summary | Fixed versions | Package type | Severity | Published | Provider | Impacted Artifact | Path | Impact Path | Artifact Scan Time | References | Description | Vulnerable ComponentImpacted ArtifactDescription |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
XRAY-261687 | CVE-2022-45047 | 9.8 | gav://org.apache.sshd:sshd-common:2.8.0 | Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. | 2.9.2 | maven | Critical | 2022-11-22 | JFrog | docker:/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube:9.9.0-community | klstg-docker-local/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube/9.9.0-community/ | docker:/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube:9.9.0-community generic://sha256:87339cb3bcb2a3d039da0efa40fa4e567466f658802f478e2f2f7f8299691144/sha256__87339cb3bcb2a3d039da0efa40fa4e567466f658802f478e2f2f7f8299691144.tar.gz generic://sha256:c6ea545cccc96fea4019ce1f94e1eb5c1d4a1e8e45b5b4c858b6d921f72e2b2c/sonar-scanner-engine-shaded-9.9.0.65466-all.jar gav://org.apache.sshd:sshd-common:2.8.0 |
2023-02-14 | CVE-2022-45047: Apache MINA SSHD: Java unsafe deserialization vulnerability | Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. | gav://org.apache.sshd:sshd-common:2.8.0docker:/cicd-deployment-images/katana-1.1.0/sonarqube/sonarqube:9.9.0-communityClass org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. |
Hey there.
Specifically referring to CVE-2022-45047
, I can confirm that SonarQube is not vulnerable. sshd
is used by svnkit (for SVN integration) to use svn+ssh protocol as a client. In our context, server keys are not deserialized using the vulnerable class SimpleGeneratorHostKeyProvider.
We regularly check the dependencies of SonarQube and its components and make determinations whether or not a vulnerability actually exists (it’s good that we know about libraries with a CVE, but they don’t always mean there’s an exploitable vulnerability).