That CVE seems to indicate an issue with old JRE versions, not any specific file. Is it possible you have some old Java installations floating around either on your SonarQuve Server, or clients (running analysis) trying to download files from your SonarQube server?
This is, I think, the first jar downloaded by the SonarQube scanner.
The Palo Alto does not scan systems, but rather traffic. It identified this file that SQ transferred as having the vulnerability I identified, and blocked it due to having a threat signature.
I’m trying understand how the SQ server hosts this data in order to serve it for analysis purposes. This file may contain vulnerabilities based on how it utilizes the JRE to compile the jar? Is this jar file created by the SQ server or is it stored on the server?