Trivy Security Scan showing vulnerable libraries

  • Version: SonarQube Developer Edition v9.1
  • Bug: Trivy scan of SonarQube Developer Edition v9.1 showing numerous Critical, High, Medium, Low vulnerabilities.
  • How to reproduce issue: Run Trivy scan against the SonarQube container
  • Possible Workaround: Update any library in the list when the latest version or bump up to one where it has been fixed



Welcome to the community and thanks for your report!

I’ve unlisted your topic since you’re reporting vulnerabilities. Our responsible disclosure policy asks that you email rather than making public posts. But I’ll let them know about this thread.


Apologies Ann! I will follow that clear process in the future.

Hi @matteisy ,

Thank you again for bringing this to us.

We know people use a variety of tools to scan for vulnerabilities in third-party software, and this is also part of our own Secure Software Development Lifecycle, as is semi-annual external penetration testing.
Our pen-testing vendor, Cure53 has published the April 2021 test of SonarQube 8.9 LTS and the October 2021 test of SonarQube 9.1.
Neither test found issues of any significance.

After investigating the component vulnerabilities you reported, we can share that none of these vulnerabilities impacts SonarQube or create an exposure. As such, we view the reported vulnerabilities as
non-application impacting.

We encourage users to read our security recommendations and employ their own network policies to ensure that only allowed traffic is
passed among systems and that traffic is encrypted if required by internal policy.

Thank you again for bringing this to us. We take all disclosures seriously and investigate them thoroughly. If you find anything else in the future, please do report it to Getting your reports helps us ensure our software is a secure part of the build chain for you and all our other users.

Administrative note: Since this has been investigated and there’s nothing to fix, I’ve relisted this topic.