SonarQube, SonarCloud, and the Log4J vulnerability

Hi @gajju26,

Welcome to the community!

We anticipate releasing 9.3 on 31 January 2022.

 
HTH,
Ann

2 Likes

Thanks for the update!!! I am looking forward to contribute in this community.

Thanks,
Gajanan

2 Likes

Hi Ann,

Will there also be a version 8.9.7 LTS available january 31st too ?

Thanks,

Jeff

Hi Jeff,

It’s a fair question, but I don’t think so. I’m sure that will be included in the next LTS release, but we’re releasing 9.3 at the end of the month as a regularly-scheduled release, which also addresses this minor security question as a means to avoiding false positives. We’re not releasing it to address log4j 2.17.1.

 
HTH,
Ann

2 Likes

Thanks for the quick reply Ann !

Jeff

A post was split to a new topic: Elasticsearch failure on startup

Hi All,

I am using community edition version 7.1 and its have log4j vulnerability (sonarqube\elasticsearch\lib\log4j-core-2.9.1.jar ). how can I upgrade it for latest version. is there any document or guideline on it

Thanks
Sanjeev

Welcome :slight_smile:

yes, see Before You Upgrade | SonarQube Docs
In your case it’s either
7.1 > 7.9.6 (former LTS) > 8.9.6 (current LTS)
or even
7.1 > 7.9.6 (former LTS) > 8.9.6 (current LTS) > 9.3.0 (latest version)

See Download | SonarQube and scroll down for historical versions.

Gilbert

3 Likes

Hi Ann,

any plans to release 8.9 LTS with log4j 2.17.1?

Thanks,
Rukesh.

Hi Rukesh,

To be clear, our security researchers have found no way to exploit the Log4J vulnerabilities in any of the 8.9 point versions.

The latest releases of SonarQube - including the LTS - don’t use Log4J directly. The embedded Elasticsearch does contain Log4J but there is no vulnerability in the way Elasticsearch uses it. So we do not plan to upgrade Elasticsearch in the LTS.

 
HTH,
Ann

2 Likes

Thanks Ann,

Currently we have sonarqube 8.9.0.43852, we can upgrade it to latest patch 8.9.6 LTS?
we have to do http://yourSonarQubeServerURL/setup or not required?

Thanks,
Rukesh.

Hi Rukesh,

Yes, you can go directly to 8.9.6. And when you do just a point version upgrade, there are no database changes, so no need to do /setup.

 
HTH,
Ann

1 Like

I saw that version 8.9.7 LTS was available since february 2022.

In the release notes, it refers to version 8.9.6 and the update of Log 4J to version 2.17.

So are there benefits to go to version 8.9.7 instead of 8.9.6 ?

Jeff

Hi,

you’re right. The release notes at Download | SonarQube for Sonarqube 8.9.7 LTS
point to Release Notes - SonarSource
with only one Jira ticket for Sonarqube 8.9.6, 9.2.4, 9.3:
" Update of Elasticsearch to 7.16.2, update of Log4J to 2.17"

The release notes for Sonarqube 8.9.7 LTS are here, you might judge yourself if it is relevant for you.
In case of doubt, use either the most recent LTS or the latest Sonarqube version.

Gilbert

1 Like

Thanks Gilbert, just wondering if Log 4J would be patched to version 2.17.1 (even though it is not a major fix) in LTS version 8.9.7, but we’ll go with the latest LTS version anyway (always a sure bet).

Thanks for the quick reply 1

Jeff

Hi Jeff,

if you really want a Sonarqube version with elasticsearch using log4j-core 2.17.1,
you’ll have to go with the latest version Sonarqube 9.3.0
The release notes for Sonarqube 9.3.0 have:
https://jira.sonarsource.com/browse/SONAR-15853
" Update of Elasticsearch to 7.16.2, update of Log4J to 2.17"
which in fact is wrong, as Sonarqube 9.3.0 ships with …\elasticsearch\lib\elasticsearch-7.16.3.jar
and Elasticsearch version 7.16.3 | Elasticsearch Guide [7.16] | Elastic has

Upgrades

Infra/Logging

  • Upgrade to log4j 2.17.1 #82111

We started to use the latest Sonarqube Enterprise version instead of the LTS in 2018 and had only problems with early 8.x versions after the redesign of the branches feature.
And now, as it’s not possible anymore to update the scanner plugins independently it’s even more important for us to use the latest version.

Gilbert

3 Likes

Hi,

SonarQube 9.3 effectively ships Elasticsearch 7.16.3. The corresponding ticket is the following one: SONAR-15869.
You can find several tickets related to the upgrade of Elasticsearch in SonarQube 9.3 release notes because the upgrade to Elasticsearch has been done iteratively in parallel to the 9.2.x bug fix releases.

Chris

1 Like

Yes, overlooked that in the crowd of tickets related to log4j, sorry.

Gilbert

Since version 9.3.0 is not in the LTS branch, would you say it is less stable ?

We have installed version 8.9.7 for now.

I saw that the plugins folder was empty.

From the Web Admin console, i went to the Marketplace to search for Plugins.

I aslo seached on the Internet on the SonarQube plugins index and saw some of the plugins that we used in our previous version (LTS 8.0).

But for most of them, it says compatible wth 7.9 to 8.2 (like SonarVB, SonarXML, SonarCSS, etc.).

Can i use the with version 8.9.7 ?

Jeff

The official plugins are now bundled with SonarQube, you don’t need to install them manually. Please read this: SonarQube v8.5 and Beyond: Where did all the plugins go?

3 Likes