Skip to content

Commit bf47187

Browse files
alain-kermis-sonarsourcesonartech
alain-kermis-sonarsource
authored and
sonartech
committed
SONAR-24942 Include CVEs inside SQCB distribution file for SQCB 25.5
1 parent 7ecdc82 commit bf47187

File tree

2 files changed

+76
-46983
lines changed

2 files changed

+76
-46983
lines changed

sonar-application/src/main/assembly/security/CVE-review-and-treatment-status-sqcb.csv

Lines changed: 76 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,76 @@
1-
Vulnerability ID,Library,Organization,Product,Project,Severity,CVSS,CVSS Type,Status,Library Type,Comment
2-
CVE-2024-57699,json-smart-2.5.1.jar,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,HIGH,7.5,CVSS_3,Library removed,Java,SonarQube is not vulnerable. This library is a transitive dependency of library used for Microsoft Entra database authentication. Only admin can configure the database authentication through a JDBC URL which cannot contain nested brackets.
3-
CVE-2024-21538,cross-spawn-7.0.3.tgz,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,HIGH,7.5,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable to the ReDoS as this package is only used during the development and testing phases.
4-
CVE-2025-27152,axios-1.7.7.tgz,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,HIGH,7.5,CVSS_3,Library removed,javascript/Node.js,axios has been upgraded
5-
CVE-2021-37714,jsoup-1.13.1.jar,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,HIGH,7.5,CVSS_3,Library removed,Java,
6-
CVE-2022-36033,jsoup-1.13.1.jar,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,6.1,CVSS_3,Library removed,Java,
7-
CVE-2025-24813,tomcat-embed-core-10.1.34.jar,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,CRITICAL,9.8,CVSS_3,Library removed,Java,SonarQube is not vulnerable. The default setup configuration of the web.xml servlet is not modified and writes are not enabled for the default servlet.
8-
CVE-2025-27789,runtime-7.17.9.tgz,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
9-
CVE-2025-27789,runtime-7.17.8.tgz,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
10-
CVE-2025-27789,runtime-7.16.5.tgz,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
11-
CVE-2025-27789,runtime-7.16.3.tgz,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
12-
CVE-2025-27789,runtime-7.21.5.tgz,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
13-
CVE-2025-27789,runtime-7.18.9.tgz,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
14-
CVE-2020-36843,eddsa-0.3.0.jar,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,4.3,CVSS_3,Ignored,Java,SonarQube application does not use this library and it has been removed
15-
CVE-2020-36843,eddsa-0.3.0.jar,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,4.3,CVSS_3,Library removed,Java,
16-
CVE-2025-22228,spring-security-crypto-6.4.2.jar,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,HIGH,7.4,CVSS_3,Library removed,Java,
17-
CVE-2025-22223,spring-security-core-6.4.2.jar,SonarSource,SonarSource/sonar-enterprise,SonarSource/sonar-enterprise sqcb-25.4,MEDIUM,5.3,CVSS_3,Library removed,Java,
1+
Vulnerability ID,Library,Severity,CVSS,CVSS Type,Status,Library Type,Comment
2+
CVE-2024-21538,cross-spawn-7.0.3.tgz,HIGH,7.5,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable to the ReDoS as this package is only used during the development and testing phases.
3+
CVE-2020-36843,eddsa-0.3.0.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,The transitive dependency has been removed.
4+
CVE-2025-27789,runtime-7.21.5.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
5+
CVE-2025-27789,runtime-7.18.9.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
6+
CVE-2025-27789,runtime-7.16.3.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
7+
CVE-2025-27789,runtime-7.17.8.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
8+
CVE-2025-27789,runtime-7.16.5.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
9+
CVE-2025-27789,helpers-7.25.6.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement
10+
CVE-2025-27789,runtime-7.25.6.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement
11+
CVE-2024-43485,microsoft.codeanalysis.workspaces.msbuild.4.12.0-1.final.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system."
12+
CVE-2021-22570,google.protobuf.3.6.1.nupkg,MEDIUM,6.5,CVSS_3,Ignored,Nuget,The protobuf payload is both generated and consumed by the user of SonarQube . An external attacker would need already access to the machine to exploit this.
13+
CVE-2018-8292,system.net.http.4.3.2.nupkg,MEDIUM,5.3,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system."
14+
CVE-2024-38081,microsoft.io.redist.6.0.0.nupkg,HIGH,7.3,CVSS_3,Ignored,Nuget,"This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as ""unproven""."
15+
CVE-2024-38095,system.formats.asn1.7.0.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as ""unproven""."
16+
CVE-2019-0820,system.text.regularexpressions.4.3.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,The product package is not vulnerable as the compiler will load the version already present on the customer host.
17+
CVE-2021-29425,commons-io-2.6.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
18+
CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
19+
WS-2019-0379,commons-codec-1.11.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
20+
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
21+
CVE-2020-15250,junit-4.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
22+
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
23+
CVE-2023-6378,logback-classic-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
24+
CVE-2021-42550,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
25+
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
26+
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
27+
CVE-2021-42550,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
28+
CVE-2023-6481,logback-core-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
29+
CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
30+
CVE-2024-47554,commons-io-2.6.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"Ignoring alerts because this is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
31+
CVE-2024-12798,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
32+
CVE-2024-12801,logback-core-1.2.0.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
33+
CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
34+
CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
35+
CVE-2024-12798,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
36+
CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
37+
CVE-2024-38827,spring-security-core-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
38+
CVE-2024-38827,spring-security-ldap-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
39+
CVE-2025-22228,spring-security-crypto-6.2.3.jar,HIGH,7.4,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
40+
CVE-2024-38827,spring-security-crypto-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
41+
CVE-2024-38829,spring-ldap-core-3.2.2.jar,LOW,3.7,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
42+
CVE-2025-31650,tomcat-embed-core-9.0.100.jar,HIGH,7.5,CVSS_3,Ignored,Java,"SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests"
43+
CVE-2025-31651,tomcat-embed-core-9.0.100.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,"SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests"
44+
CVE-2025-27789,runtime-7.26.7.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,"As described in CVE-2025-27789, SonarQube is not vulnerable because it is using @babel/core 7.27.10."
45+
CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
46+
CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
47+
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,Library okio-2.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either plugins
48+
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
49+
WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
50+
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,Library okhttp-4.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
51+
CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
52+
CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
53+
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
54+
CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
55+
CVE-2020-15250,junit-4.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
56+
CVE-2023-50572,jline-3.19.0.jar,MEDIUM,5.5,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
57+
CVE-2023-6481,logback-core-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
58+
CVE-2022-36944,scala-library-2.13.6.jar,CRITICAL,9.8,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
59+
CVE-2021-29425,commons-io-2.6.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
60+
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
61+
CVE-2021-42550,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
62+
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
63+
WS-2019-0379,commons-codec-1.11.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
64+
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
65+
CVE-2021-42550,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
66+
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
67+
CVE-2023-46122,io_2.13-1.6.0.jar,LOW,3.9,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
68+
CVE-2023-6378,logback-classic-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
69+
CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
70+
CVE-2024-47554,commons-io-2.6.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"Ignoring alerts because this is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
71+
CVE-2024-12798,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
72+
CVE-2024-12801,logback-core-1.2.0.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
73+
CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
74+
CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
75+
CVE-2024-12798,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
76+
CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers

0 commit comments

Comments
 (0)