Yes, overlooked that in the crowd of tickets related to log4j, sorry.
Gilbert
Since version 9.3.0 is not in the LTS branch, would you say it is less stable ?
We have installed version 8.9.7 for now.
I saw that the plugins folder was empty.
From the Web Admin console, i went to the Marketplace to search for Plugins.
I aslo seached on the Internet on the SonarQube plugins index and saw some of the plugins that we used in our previous version (LTS 8.0).
But for most of them, it says compatible wth 7.9 to 8.2 (like SonarVB, SonarXML, SonarCSS, etc.).
Can i use the with version 8.9.7 ?
Jeff
The official plugins are now bundled with SonarQube, you don’t need to install them manually. Please read this: SonarQube v8.5 and Beyond: Where did all the plugins go?
3 Likes
Thanks Felipe, spot on !
I probably missed this important information but now i am relieved.
I was checking the plugins because the developers who are testing SQ LTS 8.9.7 used the same build to compare version 8.0 and 8.9.7 and they sent me an image of the results and we can see that the number of bugs has dropped (almost in half) and code smells have gone up a little with version 8.9.7 (compared to 8.0). I was wondering if it could be due to a missing plugin ? Or is it just the way the new version analyse the code ?
Jeff
I forgot to add that i did not installed the Sonar Scanner MSBuild for .NET Core and this project is built in .NET Core…maybe worth noting…i wasn’t sure if i had to install this Scanner and the other one for .NET Framework.
1 Like
Hi Jeff,
You’ll need to analyze with the SonarScanner for .NET to get correct results for .NET code.
Ann
1 Like
Thanks Ann, i will install these two scanners. I didn’t konw if there was something built in Sonarqube since 8.5 for .NET, since the plugins folder is empty and all the plugins have been integrated in the software.
Jeff
Hi Jeff,
we switched from LTS to latest in 2018 for our Enterprise instance to be able to use all new features.
Beside some bugs and glitches in early 8.x versions we never hit any major problems and i will update
to Sonarqube Enterprise 9.x next month.
If you want / need to use the latest scanner versions, you are forced to use the latest version,
because those plugins are only shipped within a new Sonarqube version.
Beside the official Sonarsource plugins and a plugin with custom rules we use / i recommend:
https://softvis3d.com/ 
you know this book Your Code as a Crime Scene: Use Forensic Techniques to Arrest Defects, Bottlenecks, and Bad Design in Your Programs by Adam Tornhill ?
Gilbert
4 Likes
Thanks for the links Gilbert !
Do you know if the next LTS release (possibly 8.9.8) will update Apache Log 4J files to 2.17.1 ?
Jeff
No clue about that.
You may track Sonarsource Jira, especially
https://jira.sonarsource.com/secure/ReleaseNote.jspa?projectId=10930&version=17249
Right now it has only three tickets, but there may be more to come.
Gilbert
2 Likes
Ok, thanks.
Jeff
Hi,
I am wondering about SonarQube version 8.9.6 LTS it seems that this is running the following Log4J versions:
- log4j-api-2.17.0.jar
- elasticsearch-log4j-7.16.2.jar
It seems that recommendations are that Log4J version 2.17.1 is the recommended version to address the security vulnerabilities. I was wondering if there were any plans to upgrade the Log4J components within SonarQube version 8.9.6 LTS to Log4J version 2.17.1?
Thanks.
@Sefton please see this answer:
Also note that you’re running SonarQube 8.9.6 and the latest version is 8.9.8.
2 Likes
Since it has been a few months since Sefton’s post on Apr 22 and Felipe’s answer, I thought I’d follow up. Does the latest version of SonarQube 8.9.9 LTS use Log4J version 2.17.1 or higher? Or is it still the case that we would need to upgrade to SonarQube 9.3 or higher as Chris replied back in February?
Thank you.
Craig
Hi Craig,
Welcome to the community!
Please see the initial post in this thread. It was updated continuously last December as we explored the topic and issued patches.
In general, you should always be on either the latest version (currently 9.5) or the latest patch release of the LTS (currently 8.9.9).
HTH,
Ann
Ann - I appreciate the quick response, and we will be moving forward to upgrade from 8.9.6 to 8.9.9.
However, due to our corporate scanning tools, 8.9.6 is reporting a (presumably) false positive about log4j 2.17.0 needing to be upgraded to 2.17.1. The initial post in this thread states that 8.9.6 LTS was released to “eliminate confusion and avoid false-positive from vulnerability scanning tools” and that the new version “updates the packaged Log4J dependency to 2.17”.
It appears that the initial post is no longer clear since it doesn’t refer to versions of 8.9.X higher than 8.9.6 nor does it specifically mention log4j 2.17.1.
After a careful read through this thread, it appears that several people have specifically said that SonarQube 9.3 and higher uses the version of elasticsearch that pulls in log4j 2.17.1, but I see no definitive statement about whether 8.9.9 LTS eliminates avoid false-positives related to log4j 2.17.0 by using 2.17.1.
Maybe there are no plans to use log4j 2.17.1 or higher with any version of SonarQube 8.9.X, but if so, a definitive statement about 8.9.X wrt log4j 2.17.1 would be helpful.
Thank again!
Hi @craigw,
Our need for definitive statements ended with the update on 21 December 2021.
I invite you to adopt a current version.
Ann
1 Like
Hi Ann ! I have a very similar question. The version we have is the latest LTS 8.9.9. However, it now looks like elasticsearch-log4j-7.16.2.jar , which is what is included in that SQ 8.9.9 is vulnerable according to security scans. As CraigW mentioned, I assume there will be no fixes to the LTS version of SQ included elastic search log4j ?
Hi @EugeneL,
Welcome to the community!
If you believe you’ve found a vulnerability we’re not aware of, I invite you to submit a disclosure according to:
Ann
Ann, this is not something new . This is showing up as CVE-2021-44832. The elastic log4j library included in elastic search seems to be using older version. I will send email, as you indicated . Thanks