Upgrade embedded Go from vulnerable go1.21.1 (CVE-2024-24790) to go1.22.4+

hmi · September 1, 2025, 8:44am

We deploy Sonarqube in K8S with the offical docker image: 2025-lta-developer.

We noticed that the current SonarGo plugin (1.18.1.827) embeds Go version 1.21.1 (sonar-go/sonar-go-to-slang/Makefile at 1.18.1.827 · SonarSource/sonar-go · GitHub), which is affected by CVE-2024-24790 (CVSS 9.8, High Severity). This vulnerability allows malicious IPv6 addresses to bypass security checks.

Our security scans (JFrog Xray) flag this as a critical risk, any plan to upgrade the plugin?

Colin · September 1, 2025, 9:59am

Hello,

SonarQube is not affected by CVE-2024-24790, as the Go analyzer does not use the vulnerable net/netip package.

The affected dependency was upgraded in version 2025.2 (the latest version is 2025.4) as part of routine updates, not as a response to a security issue. We do not plan to backport this upgrade to version 2025.1 LTA.

Topic		Replies	Views
Bump up version of Go Code Quality and Security plugin in LTS 8.X release SonarQube Server / Community Build go	1	842	November 24, 2022
Sonarqube version that supports go1.20 SonarQube Server / Community Build sonarqube , scanner	4	451	July 26, 2023
Vulnerabilities (Go) doesn't show in Developer Edition? SonarQube Server / Community Build	2	399	July 29, 2022
About the many CVE in sonar-plugin-api dependencies SonarQube Server / Community Build custom_rules , security	5	2104	February 8, 2022
Depencencies' vulnerabilities on Sonarqube Community 10.0.0 SonarQube Server / Community Build	5	397	June 8, 2023

Upgrade embedded Go from vulnerable go1.21.1 (CVE-2024-24790) to go1.22.4+

Related topics