SONAR-25445 Include CVE review and treatment file for SQCB 25.7

alain-kermis-sonarsource · sonartech · commit 015eb1ed5885 · 2025-07-04T20:04:06.000Z
diff --git a/sonar-application/src/main/assembly/security/CVE-review-and-treatment-status-sqcb.csv b/sonar-application/src/main/assembly/security/CVE-review-and-treatment-status-sqcb.csv
@@ -1,76 +1,61 @@
 Vulnerability ID,Library,Severity,CVSS,CVSS Type,Status,Library Type,Comment
-CVE-2024-21538,cross-spawn-7.0.3.tgz,HIGH,7.5,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable to the ReDoS as this package is only used during the development and testing phases.
 CVE-2020-36843,eddsa-0.3.0.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,The transitive dependency has been removed.
-CVE-2025-27789,runtime-7.21.5.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
-CVE-2025-27789,runtime-7.18.9.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
-CVE-2025-27789,runtime-7.16.3.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
-CVE-2025-27789,runtime-7.17.8.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
-CVE-2025-27789,runtime-7.16.5.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
-CVE-2025-27789,helpers-7.25.6.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement
-CVE-2025-27789,runtime-7.25.6.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement
-CVE-2024-43485,microsoft.codeanalysis.workspaces.msbuild.4.12.0-1.final.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system."
+CVE-2025-49146,postgresql-42.7.6.jar,HIGH,8.2,CVSS_3,Ignored,Java,SonarQube is not vulnerable as it doesn't use channel binding set to required.
+CVE-2025-41234,spring-web-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,"SonarQube is not vulnerable as it does not use ContentDisposition.Builder#filename(String, Charset)"
 CVE-2021-22570,google.protobuf.3.6.1.nupkg,MEDIUM,6.5,CVSS_3,Ignored,Nuget,The protobuf payload is both generated and consumed by the user of SonarQube . An external attacker would need already access to the machine to exploit this.
-CVE-2018-8292,system.net.http.4.3.2.nupkg,MEDIUM,5.3,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system."
 CVE-2024-38081,microsoft.io.redist.6.0.0.nupkg,HIGH,7.3,CVSS_3,Ignored,Nuget,"This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as ""unproven""."
+CVE-2025-26646,microsoft.build.tasks.core.17.10.4.nupkg,HIGH,8,CVSS_3,Ignored,Nuget,This dependency is only used for product unit testing and it's not included in the product package. 
+CVE-2025-26646,microsoft.build.tasks.core.17.7.2.nupkg,HIGH,8,CVSS_3,Ignored,Nuget,This dependency is only used for product unit testing and it's not included in the product package. 
 CVE-2024-38095,system.formats.asn1.7.0.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as ""unproven""."
-CVE-2019-0820,system.text.regularexpressions.4.3.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,The product package is not vulnerable as the compiler will load the version already present on the customer host.
-CVE-2021-29425,commons-io-2.6.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-WS-2019-0379,commons-codec-1.11.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-43485,microsoft.codeanalysis.workspaces.msbuild.4.12.0-1.final.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system."
 CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2020-15250,junit-4.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
 CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2023-6378,logback-classic-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2021-42550,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
 CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2021-42550,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2023-6481,logback-core-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-47554,commons-io-2.6.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"Ignoring alerts because this is a transitive dependency over  the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
-CVE-2024-12798,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-12801,logback-core-1.2.0.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
+CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
+CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
+CVE-2024-47554,commons-io-2.7.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"This is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
+CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
 CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-12798,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-12801,logback-core-1.3.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-12798,logback-core-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-12798,logback-classic-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
 CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-38827,spring-security-core-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
-CVE-2024-38827,spring-security-ldap-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
-CVE-2025-22228,spring-security-crypto-6.2.3.jar,HIGH,7.4,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
-CVE-2024-38827,spring-security-crypto-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
-CVE-2024-38829,spring-ldap-core-3.2.2.jar,LOW,3.7,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
-CVE-2025-31650,tomcat-embed-core-9.0.100.jar,HIGH,7.5,CVSS_3,Ignored,Java,"SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests"
-CVE-2025-31651,tomcat-embed-core-9.0.100.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,"SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests"
-CVE-2025-27789,runtime-7.26.7.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,"As described in CVE-2025-27789, SonarQube is not vulnerable because it is using @babel/core 7.27.10."
+WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
+CVE-2025-52999,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator and is used only during compile and test time and is not included in the final Ruby Analyzer.
+CVE-2025-48734,commons-beanutils-1.9.4.jar,HIGH,8.8,CVSS_3,Ignored,Java,commons-beanutils:commons-beanutils:1.9.4 is used only within integration tests and is not shipped in the final product
+WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
 CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
 CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
-CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,Library okio-2.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either plugins
-CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
-WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
 CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,Library okhttp-4.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
+CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
 CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
 CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
-CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
+CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,Library okio-2.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either plugins
+CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
+CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2023-46122,io_2.13-1.6.0.jar,LOW,3.9,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
+CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2022-36944,scala-library-2.13.6.jar,CRITICAL,9.8,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
 CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2020-15250,junit-4.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
 CVE-2023-50572,jline-3.19.0.jar,MEDIUM,5.5,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
-CVE-2023-6481,logback-core-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2022-36944,scala-library-2.13.6.jar,CRITICAL,9.8,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
-CVE-2021-29425,commons-io-2.6.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
 CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2021-42550,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-WS-2019-0379,commons-codec-1.11.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
 CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2021-42550,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2023-46122,io_2.13-1.6.0.jar,LOW,3.9,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
-CVE-2023-6378,logback-classic-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-47554,commons-io-2.6.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"Ignoring alerts because this is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
-CVE-2024-12798,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-12801,logback-core-1.2.0.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
+CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
+CVE-2024-47554,commons-io-2.7.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"This is a transitive dependency used by the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
+CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
+CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
+CVE-2024-12801,logback-core-1.3.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
 CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-12798,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
-CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-12798,logback-core-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+CVE-2024-12798,logback-classic-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
+WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only and is used to run the integration tests of plugins
+CVE-2025-52999,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator. This dependency is used only during compile and test time and is not included in the final scanner for Gradle product.
