Trivy scans shows several vulnerabilities

fmulero · September 19, 2025, 7:23am

Hello team,

Running a Trivy security scan to the latest Community Docker image returned some CRITICAL CVEs dependencies-related:

CVE-2025-58057
CVE-2025-58056

Could you confirm whether Sonarqube is affected by these vulnerabilities and if so, are there plans to update the affected depencencies?

Steps to reproduce:

trivy image --pkg-types library sonarqube:community

Colin · September 19, 2025, 7:45am

Hi,

I’ve unlisted your topic since you’re reporting a vulnerability.

For SonarQube Community Build, we’ve packaged a comprehensive vulnerability listing in the .csv file in the security directory of your SonarQube Community Build distribution. If the vulnerability you’ve found is not reflected there, or if you still have questions after consulting the file, please email security@sonarsource.com rather than making public posts, per our responsible disclosure policy.

Thx,

Topic		Replies	Views
Depencencies' vulnerabilities on Sonarqube Community 10.0.0 SonarQube Server / Community Build	5	412	June 8, 2023
Depencencies’ vulnerabilities on Sonarqube Community 10.1.0 SonarQube Server / Community Build	5	342	July 18, 2023
Trivy Security Scan showing vulnerable libraries SonarQube Server / Community Build sonarqube	6	1806	November 18, 2021
Trivy Scans of SonarQube 9.8.0 Docker Image Show Several Vulnerabilities SonarQube Server / Community Build	3	2405	February 7, 2023
Dependencies Vulnerabilities Sonarqube Community 9.9 SonarQube Server / Community Build sonarqube	1	312	February 16, 2024

Trivy scans shows several vulnerabilities

Related topics