Virus in Sonnar scanner jar file

Hi @dharmendrarb1
And welcome to the community!
I understand your concern with this report.
A few things you might do:

  • check if your SonarQube instance may have been compromised (I’ve never heard about such case but you may not be able to rule it out completely). For that you may checksum compare (globally then on each file) this scanner jar file (https://SONARQUBE-URL/batch/file?name=sonar-scanner-engine-shaded-8.9.5.50698-all.jar) with one from another (100% safe) instance of the exact same edition and version.
  • upgrade to the latest 8.9 patch version, which would be the 8.9.6 announced on Dec. 21st
  • report a false positive through your Palo Alto support channel
  • if something is wrong with the file, you might share your detailed findings (including the scanner file safely quarantined) following our Responsible Vulnerability Disclosure guidelines.
  • If this was a false positive, an update here is welcome