We are running SonarQube version 6.7.4 and we noticed that even though our source code had references to log4j jar file and the log4j-1.x and 2.x versions which had the vulnerability issue, SonarQube did not flag that as a vulnerability and we missed catching that.
I would like to know if there is anyway we could capture such kind of vulnerability in the version 6.7.4 with the help of plugins or with any other option (as upgrade to the latest version is not that feasible for us currently).
SonarQube does source code analysis, not dependency analysis. Log4j is an external library that you’re referencing and you’ll need a dependency scanner to detect vulnerabilities there.
This is on the roadmap for SonarQube, but with no timelines so far.
On a related note, you should upgrade to either 8.9.6 LTS or 9.2.4 asap. Your version is way beyond end of life, and is vulnerable to the Log4j exploit itself. Your upgrade path is
6.7.4 → 7.9.6 → 8.9.6 → (optional) 9.2.4
Thanks for getting back. I know log4j is an external library but since the version that is being used in the source code has a vulnerability, I was expecting sonar to flag it as a vulnerability.
By dependency scanner, are you referring to WhiteSource or BlackDuck or similar tool ?
Regarding the upgrade, we are working on it but since we are using MySQL and (from my understanding) the later versions do not support MySQL and only Postgres, we are figuring out how this needs to be done.
Since we are on community edition, I understand that this db copy tool is not available to us: https://docs.sonarqube.org/latest/instance-administration/db-copy/
Is there anything similar that will make it easy for us to migrate the DB over for the upgrade ?