Vulnerability Identitifed in SQ jar file

Current Version: 7.7EE
Secnario: Performing analysis on C# / .NET CORE in a container.

Our Palo Alto firewall appliance identified sonar-scanner-engine-shaded-developer-7.7-all.jar(http://sqserver:9000/batch/file?name=sonar-scanner-engine-shaded-developer-7.7-all.jar) as having the following vulnerability.

Has this vulnerability been resolved in the latest version of SQ (8.1)?


That CVE seems to indicate an issue with old JRE versions, not any specific file. Is it possible you have some old Java installations floating around either on your SonarQuve Server, or clients (running analysis) trying to download files from your SonarQube server?

This is, I think, the first jar downloaded by the SonarQube scanner.


Hi Colins,

The Palo Alto does not scan systems, but rather traffic. It identified this file that SQ transferred as having the vulnerability I identified, and blocked it due to having a threat signature.

I’m trying understand how the SQ server hosts this data in order to serve it for analysis purposes. This file may contain vulnerabilities based on how it utilizes the JRE to compile the jar? Is this jar file created by the SQ server or is it stored on the server?