Vulnerability Issues With New sonar-maven-plugin:4.0.0.4121

SonarQube Version: 10.2.1
Plugin: sonar-maven-plugin:4.0.0.4121

Hello All,
It looks like recently (May 31, 2024), the sonar-maven-plugin was updated from version 3.11.0.3922 to 4.0.0.4121. This update has started to cause issues in our build pipelines due to sonar-maven-plugin:4.0.0.4121 having a transitive dependency of plexus-utils:1.55, which currently has multiple CVEs and is being blocked by our component scanning software (Sonatype Lifecycle).

We didn’t have this issue before the update, and after some digging it seems like for some reason sonar-maven-plugin:4.0.0.4121 is using org.sonatype.plexus : plexus-sec-dispatcher : 1.4 (which then has a dependency on the vulnerable plexus-utils:1.55), where as sonar-maven-plugin:3.11.0.3922 is using org.codehaus.plexus : plexus-sec-dispatcher : 2.0 (which then has a dependency of a non-vulnerable plexus-utils:3.4.1).

My question is, why would a newer version of sonar-maven-plugin begin using an older (and vulnerable) version of plexus-utils than the previous versions? Should it actually be this way or was there a mistake when creating this version of the plugin?

Any insight into this issue would be very appreciated. Thanks!

Hello @AVKruschek, welcome to the SonarCommunity.

The dependency update on plexus-sec-dispatcher was reverted to fix a broken integration with Maven’s encrypted secret. See [SCANMAVEN-217] - Jira for more details.

The [SCANMAVEN-222] - Jira will correctly upgrade the plexus-sec-dispatcher dependency as described in the ticket.

Please, if the latest version of the scanner for Maven is causing you problems, then use the previous version:

mvn org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922:sonar

Cheers,
Angelo