Hello, folks,
I hope this message finds everyone well. I’m reaching out to raise a concern and seek information about a specific vulnerability CVE-2023-3635 that has been identified within the dependencies used by sonar-scanner-cli-5.0.1.3006. The vulnerability is associated with okio-1.17.2, which is a transitive dependency through com.squareup.okhttp3:okhttp:3.14.2
Could the team share insights on the potential impact this vulnerability may have on users of SonarScanner CLI?
Are there any plans underway to upgrade this dependency to a secure version in the near future? If so, could you provide an estimated timeline for when we might expect these changes to be implemented?
Related topic: Sonar-scanner-cli and vulnerable okhttp3 dependency
Thank you for your attention to this matter and for the ongoing development and support of such invaluable tools.