SonarQube Image Vulnerabilities - Seeking Patch or Mitigation Options without Version Upgrade

Hello,

We’ve deployed a SonarQube instance (version 9.9.0-community) on AWS ECS using the Docker image from Docker Hub. A recent security audit revealed multiple vulnerabilities in this image, and we’re looking for ways to mitigate them. While we’re aware that the latest image (version 10.7.0) addresses some of these issues, upgrading would require Java 17, which our application currently does not support.

Here’s what we’re considering and would appreciate any guidance on:

1. Alternative Patch Options: Is there a recommended approach to patch vulnerabilities in version 9.9.0 without upgrading to 10.7.0?

2. Custom Image Builds: If patching is not feasible, has anyone successfully built a custom image to address security concerns? Any specific guidance on this would be extremely helpful.

Thank you in advance for any advice or resources you can share!

Hey there

Updating to the latest version of v9.9 LTA, v9.9.7, will solve a lot of the issues. We regularly patch the LTA to address the (usually meaningless, but annoying) vulnerability reports on internal dependencies.

Pleaes note that whether or not your application is built for Java 17, you can still analyze it with SonarQube v10.7.

https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/scanner-environment/general-requirements/

The requirement on the Java runtime environment refers only to the version of Java used by the scanner itself to run. It does not restrict the versions of Java that can be analyzed by the scanner. In addition, the required version changes with successive versions of the scanner.