root
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

SONAR-25445 Include CVE review and treatment file for SQCB 25.7

This commit is contained in:
Alain Kermis 2025-07-04 15:42:35 +02:00 committed by sonartech
parent b7f97e92f2
commit 015eb1ed58
1 changed files with 45 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
sonar-application/src/main/assembly/security/CVE-review-and-treatment-status-sqcb.csv
View File

@ -1,76 +1,61 @@
Vulnerability ID,Library,Severity,CVSS,CVSS Type,Status,Library Type,Comment
CVE-2024-21538,cross-spawn-7.0.3.tgz,HIGH,7.5,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable to the ReDoS as this package is only used during the development and testing phases.
CVE-2020-36843,eddsa-0.3.0.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,The transitive dependency has been removed.
CVE-2025-27789,runtime-7.21.5.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
CVE-2025-27789,runtime-7.18.9.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
CVE-2025-27789,runtime-7.16.3.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
CVE-2025-27789,runtime-7.17.8.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
CVE-2025-27789,runtime-7.16.5.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
CVE-2025-27789,helpers-7.25.6.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement
CVE-2025-27789,runtime-7.25.6.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement
CVE-2024-43485,microsoft.codeanalysis.workspaces.msbuild.4.12.0-1.final.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system."
CVE-2025-49146,postgresql-42.7.6.jar,HIGH,8.2,CVSS_3,Ignored,Java,SonarQube is not vulnerable as it doesn't use channel binding set to required.
CVE-2025-41234,spring-web-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,"SonarQube is not vulnerable as it does not use ContentDisposition.Builder#filename(String, Charset)"
CVE-2021-22570,google.protobuf.3.6.1.nupkg,MEDIUM,6.5,CVSS_3,Ignored,Nuget,The protobuf payload is both generated and consumed by the user of SonarQube . An external attacker would need already access to the machine to exploit this.
CVE-2018-8292,system.net.http.4.3.2.nupkg,MEDIUM,5.3,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system."
CVE-2024-38081,microsoft.io.redist.6.0.0.nupkg,HIGH,7.3,CVSS_3,Ignored,Nuget,"This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as ""unproven""."
CVE-2025-26646,microsoft.build.tasks.core.17.10.4.nupkg,HIGH,8,CVSS_3,Ignored,Nuget,This dependency is only used for product unit testing and it's not included in the product package.
CVE-2025-26646,microsoft.build.tasks.core.17.7.2.nupkg,HIGH,8,CVSS_3,Ignored,Nuget,This dependency is only used for product unit testing and it's not included in the product package.
CVE-2024-38095,system.formats.asn1.7.0.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as ""unproven""."
CVE-2019-0820,system.text.regularexpressions.4.3.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,The product package is not vulnerable as the compiler will load the version already present on the customer host.
CVE-2021-29425,commons-io-2.6.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
WS-2019-0379,commons-codec-1.11.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-43485,microsoft.codeanalysis.workspaces.msbuild.4.12.0-1.final.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system."
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2020-15250,junit-4.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-6378,logback-classic-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2021-42550,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2021-42550,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-6481,logback-core-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-47554,commons-io-2.6.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"Ignoring alerts because this is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
CVE-2024-12798,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12801,logback-core-1.2.0.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2024-47554,commons-io-2.7.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"This is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12801,logback-core-1.3.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-core-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-classic-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-38827,spring-security-core-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
CVE-2024-38827,spring-security-ldap-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
CVE-2025-22228,spring-security-crypto-6.2.3.jar,HIGH,7.4,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
CVE-2024-38827,spring-security-crypto-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
CVE-2024-38829,spring-ldap-core-3.2.2.jar,LOW,3.7,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar.
CVE-2025-31650,tomcat-embed-core-9.0.100.jar,HIGH,7.5,CVSS_3,Ignored,Java,"SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests"
CVE-2025-31651,tomcat-embed-core-9.0.100.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,"SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests"
CVE-2025-27789,runtime-7.26.7.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,"As described in CVE-2025-27789, SonarQube is not vulnerable because it is using @babel/core 7.27.10."
WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2025-52999,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator and is used only during compile and test time and is not included in the final Ruby Analyzer.
CVE-2025-48734,commons-beanutils-1.9.4.jar,HIGH,8.8,CVSS_3,Ignored,Java,commons-beanutils:commons-beanutils:1.9.4 is used only within integration tests and is not shipped in the final product
WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,Library okio-2.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either plugins
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,Library okhttp-4.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2020-15250,junit-4.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-50572,jline-3.19.0.jar,MEDIUM,5.5,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
CVE-2023-6481,logback-core-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2022-36944,scala-library-2.13.6.jar,CRITICAL,9.8,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
CVE-2021-29425,commons-io-2.6.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2021-42550,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
WS-2019-0379,commons-codec-1.11.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2021-42550,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-46122,io_2.13-1.6.0.jar,LOW,3.9,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
CVE-2023-6378,logback-classic-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,Library okio-2.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either plugins
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-47554,commons-io-2.6.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"Ignoring alerts because this is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
CVE-2024-12798,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12801,logback-core-1.2.0.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-46122,io_2.13-1.6.0.jar,LOW,3.9,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2022-36944,scala-library-2.13.6.jar,CRITICAL,9.8,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-50572,jline-3.19.0.jar,MEDIUM,5.5,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2024-47554,commons-io-2.7.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"This is a transitive dependency used by the sonar-orchestrator library, which is only used for testing and is not shipped with the product."
CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2024-12801,logback-core-1.3.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-core-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2024-12798,logback-classic-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only and is used to run the integration tests of plugins
CVE-2025-52999,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator. This dependency is used only during compile and test time and is not included in the final scanner for Gradle product.
1 Vulnerability ID Library Severity CVSS CVSS Type Status Library Type Comment
CVE-2024-21538 cross-spawn-7.0.3.tgz HIGH 7.5 CVSS_3 Ignored javascript/Node.js SonarQube is not vulnerable to the ReDoS as this package is only used during the development and testing phases.
2 CVE-2020-36843 eddsa-0.3.0.jar MEDIUM 4.3 CVSS_3 Ignored Java The transitive dependency has been removed.
3 CVE-2025-27789 CVE-2025-49146 runtime-7.21.5.tgz postgresql-42.7.6.jar MEDIUM HIGH 6.2 8.2 CVSS_3 Ignored javascript/Node.js Java SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases. SonarQube is not vulnerable as it doesn't use channel binding set to required.
4 CVE-2025-27789 CVE-2025-41234 runtime-7.18.9.tgz spring-web-6.2.7.jar MEDIUM 6.2 6.5 CVSS_3 Ignored javascript/Node.js Java SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases. SonarQube is not vulnerable as it does not use ContentDisposition.Builder#filename(String, Charset)
CVE-2025-27789 runtime-7.16.3.tgz MEDIUM 6.2 CVSS_3 Ignored javascript/Node.js SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
CVE-2025-27789 runtime-7.17.8.tgz MEDIUM 6.2 CVSS_3 Ignored javascript/Node.js SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
CVE-2025-27789 runtime-7.16.5.tgz MEDIUM 6.2 CVSS_3 Ignored javascript/Node.js SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases.
CVE-2025-27789 helpers-7.25.6.tgz MEDIUM 6.2 CVSS_3 Ignored javascript/Node.js SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement
CVE-2025-27789 runtime-7.25.6.tgz MEDIUM 6.2 CVSS_3 Ignored javascript/Node.js SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement
CVE-2024-43485 microsoft.codeanalysis.workspaces.msbuild.4.12.0-1.final.nupkg HIGH 7.5 CVSS_3 Ignored Nuget This library is used by the TestFramework and it's not included in the product package. The CVE is registered as "unproven". The risk is a DDoS on the test system.
5 CVE-2021-22570 google.protobuf.3.6.1.nupkg MEDIUM 6.5 CVSS_3 Ignored Nuget The protobuf payload is both generated and consumed by the user of SonarQube . An external attacker would need already access to the machine to exploit this.
CVE-2018-8292 system.net.http.4.3.2.nupkg MEDIUM 5.3 CVSS_3 Ignored Nuget This library is used by the TestFramework and it's not included in the product package. The CVE is registered as "unproven". The risk is a DDoS on the test system.
6 CVE-2024-38081 microsoft.io.redist.6.0.0.nupkg HIGH 7.3 CVSS_3 Ignored Nuget This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as "unproven".
7 CVE-2025-26646 microsoft.build.tasks.core.17.10.4.nupkg HIGH 8 CVSS_3 Ignored Nuget This dependency is only used for product unit testing and it's not included in the product package.
8 CVE-2025-26646 microsoft.build.tasks.core.17.7.2.nupkg HIGH 8 CVSS_3 Ignored Nuget This dependency is only used for product unit testing and it's not included in the product package.
9 CVE-2024-38095 system.formats.asn1.7.0.0.nupkg HIGH 7.5 CVSS_3 Ignored Nuget This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as "unproven".
10 CVE-2019-0820 CVE-2024-43485 system.text.regularexpressions.4.3.0.nupkg microsoft.codeanalysis.workspaces.msbuild.4.12.0-1.final.nupkg HIGH 7.5 CVSS_3 Ignored Nuget The product package is not vulnerable as the compiler will load the version already present on the customer host. This library is used by the TestFramework and it's not included in the product package. The CVE is registered as "unproven". The risk is a DDoS on the test system.
CVE-2021-29425 commons-io-2.6.jar MEDIUM 4.8 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2023-3635 okio-jvm-3.0.0.jar MEDIUM 5.9 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
WS-2019-0379 commons-codec-1.11.jar MEDIUM 6.5 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
11 CVE-2023-0833 okhttp-4.5.0.jar MEDIUM 4.7 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2020-15250 junit-4.12.jar MEDIUM 4.4 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2020-29582 kotlin-stdlib-1.3.70.jar MEDIUM 5.3 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2023-6378 logback-classic-1.2.0.jar HIGH 7.1 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2021-42550 logback-classic-1.2.0.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2023-3635 okio-2.5.0.jar MEDIUM 5.9 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2022-24329 kotlin-stdlib-1.3.70.jar MEDIUM 5.3 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2021-42550 logback-core-1.2.0.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2023-6481 logback-core-1.2.0.jar HIGH 7.1 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
12 CVE-2024-7254 protobuf-java-3.21.12.jar HIGH 7.5 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
13 CVE-2024-47554 CVE-2022-24329 commons-io-2.6.jar kotlin-stdlib-1.3.70.jar MEDIUM 4.3 5.3 CVSS_3 Ignored Java Ignoring alerts because this is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product. This transitive test dependency is not shipped with the analyzers
14 CVE-2024-12798 CVE-2020-29582 logback-core-1.2.0.jar kotlin-stdlib-1.3.70.jar MEDIUM 6.6 5.3 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
15 CVE-2024-12801 CVE-2023-3635 logback-core-1.2.0.jar okio-2.5.0.jar MEDIUM 4.4 5.9 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
16 CVE-2024-12798 CVE-2023-3635 logback-core-1.2.13.jar okio-jvm-3.0.0.jar MEDIUM 6.6 5.9 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
17 CVE-2020-36518 jackson-databind-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
18 CVE-2022-40152 woodstox-core-6.2.7.jar MEDIUM 6.5 CVSS_3 Ignored Java Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
19 CVE-2022-42003 jackson-databind-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
20 CVE-2024-47554 commons-io-2.7.jar MEDIUM 4.3 CVSS_3 Ignored Java This is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product.
21 CVE-2022-42004 jackson-databind-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
22 CVE-2024-12801 logback-core-1.2.13.jar MEDIUM 4.4 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
23 CVE-2024-12798 CVE-2024-12801 logback-classic-1.2.0.jar logback-core-1.3.12.jar MEDIUM 6.6 4.4 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
24 CVE-2024-12798 logback-core-1.3.12.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
25 CVE-2024-12798 logback-core-1.2.13.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
26 CVE-2024-12798 logback-classic-1.3.12.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
27 CVE-2024-12798 logback-classic-1.2.13.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
28 CVE-2024-38827 WS-2022-0468 spring-security-core-6.2.3.jar jackson-core-2.13.2.jar MEDIUM HIGH 4.8 7.5 CVSS_3 Ignored Java Only used in tests (java-checks-test-sources). Not packaged in the main jar. Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
29 CVE-2024-38827 CVE-2025-52999 spring-security-ldap-6.2.3.jar jackson-core-2.13.2.jar MEDIUM HIGH 4.8 7.5 CVSS_3 Ignored Java Only used in tests (java-checks-test-sources). Not packaged in the main jar. The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator and is used only during compile and test time and is not included in the final Ruby Analyzer.
30 CVE-2025-22228 CVE-2025-48734 spring-security-crypto-6.2.3.jar commons-beanutils-1.9.4.jar HIGH 7.4 8.8 CVSS_3 Ignored Java Only used in tests (java-checks-test-sources). Not packaged in the main jar. commons-beanutils:commons-beanutils:1.9.4 is used only within integration tests and is not shipped in the final product
31 CVE-2024-38827 WS-2022-0468 spring-security-crypto-6.2.3.jar jackson-core-2.13.2.jar MEDIUM HIGH 4.8 7.5 CVSS_3 Ignored Java Only used in tests (java-checks-test-sources). Not packaged in the main jar. Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2024-38829 spring-ldap-core-3.2.2.jar LOW 3.7 CVSS_3 Ignored Java Only used in tests (java-checks-test-sources). Not packaged in the main jar.
CVE-2025-31650 tomcat-embed-core-9.0.100.jar HIGH 7.5 CVSS_3 Ignored Java SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests
CVE-2025-31651 tomcat-embed-core-9.0.100.jar MEDIUM 5.3 CVSS_3 Ignored Java SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests
CVE-2025-27789 runtime-7.26.7.tgz MEDIUM 6.2 CVSS_3 Ignored javascript/Node.js As described in CVE-2025-27789, SonarQube is not vulnerable because it is using @babel/core 7.27.10.
32 CVE-2022-40152 woodstox-core-6.2.7.jar MEDIUM 6.5 CVSS_3 Ignored Java Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
33 CVE-2020-36518 jackson-databind-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
CVE-2023-3635 okio-2.5.0.jar MEDIUM 5.9 CVSS_3 Ignored Java Library okio-2.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either plugins
CVE-2020-29582 kotlin-stdlib-1.3.70.jar MEDIUM 5.3 CVSS_3 Ignored Java Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
WS-2022-0468 jackson-core-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
34 CVE-2023-0833 okhttp-4.5.0.jar MEDIUM 4.7 CVSS_3 Ignored Java Library okhttp-4.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
35 CVE-2022-24329 kotlin-stdlib-1.3.70.jar MEDIUM 5.3 CVSS_3 Ignored Java Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
36 CVE-2022-42003 jackson-databind-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
37 CVE-2022-42004 jackson-databind-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
38 CVE-2022-24329 CVE-2023-3635 kotlin-stdlib-1.3.70.jar okio-2.5.0.jar MEDIUM 5.3 5.9 CVSS_3 Ignored Java Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins Library okio-2.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either plugins
39 CVE-2023-3635 CVE-2020-29582 okio-jvm-3.0.0.jar kotlin-stdlib-1.3.70.jar MEDIUM 5.9 5.3 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins
CVE-2020-15250 junit-4.12.jar MEDIUM 4.4 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2023-50572 jline-3.19.0.jar MEDIUM 5.5 CVSS_3 Ignored Java This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product.
CVE-2023-6481 logback-core-1.2.0.jar HIGH 7.1 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2022-36944 scala-library-2.13.6.jar CRITICAL 9.8 CVSS_3 Ignored Java This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product.
CVE-2021-29425 commons-io-2.6.jar MEDIUM 4.8 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2020-29582 kotlin-stdlib-1.3.70.jar MEDIUM 5.3 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2021-42550 logback-classic-1.2.0.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2023-3635 okio-2.5.0.jar MEDIUM 5.9 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
WS-2019-0379 commons-codec-1.11.jar MEDIUM 6.5 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2022-24329 kotlin-stdlib-1.3.70.jar MEDIUM 5.3 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2021-42550 logback-core-1.2.0.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2023-0833 okhttp-4.5.0.jar MEDIUM 4.7 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
CVE-2023-46122 io_2.13-1.6.0.jar LOW 3.9 CVSS_3 Ignored Java This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product.
CVE-2023-6378 logback-classic-1.2.0.jar HIGH 7.1 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
40 CVE-2024-7254 protobuf-java-3.21.12.jar HIGH 7.5 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
41 CVE-2024-47554 CVE-2023-46122 commons-io-2.6.jar io_2.13-1.6.0.jar MEDIUM LOW 4.3 3.9 CVSS_3 Ignored Java Ignoring alerts because this is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product. This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product.
42 CVE-2024-12798 CVE-2023-0833 logback-core-1.2.0.jar okhttp-4.5.0.jar MEDIUM 6.6 4.7 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
43 CVE-2024-12801 CVE-2022-36944 logback-core-1.2.0.jar scala-library-2.13.6.jar MEDIUM CRITICAL 4.4 9.8 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product.
44 CVE-2024-12801 CVE-2023-3635 logback-core-1.2.13.jar okio-jvm-3.0.0.jar MEDIUM 4.4 5.9 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
45 CVE-2023-50572 jline-3.19.0.jar MEDIUM 5.5 CVSS_3 Ignored Java This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product.
46 CVE-2020-29582 kotlin-stdlib-1.3.70.jar MEDIUM 5.3 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
47 CVE-2022-24329 kotlin-stdlib-1.3.70.jar MEDIUM 5.3 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
48 CVE-2023-3635 okio-2.5.0.jar MEDIUM 5.9 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
49 CVE-2022-42003 jackson-databind-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
50 CVE-2022-42004 jackson-databind-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
51 CVE-2024-47554 commons-io-2.7.jar MEDIUM 4.3 CVSS_3 Ignored Java This is a transitive dependency used by the sonar-orchestrator library, which is only used for testing and is not shipped with the product.
52 CVE-2020-36518 jackson-databind-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
53 CVE-2022-40152 woodstox-core-6.2.7.jar MEDIUM 6.5 CVSS_3 Ignored Java Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins
54 CVE-2024-12801 logback-core-1.3.12.jar MEDIUM 4.4 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
55 CVE-2024-12798 logback-core-1.2.13.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
56 CVE-2024-12798 CVE-2024-12801 logback-classic-1.2.0.jar logback-core-1.2.13.jar MEDIUM 6.6 4.4 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
57 CVE-2024-12798 logback-classic-1.2.13.jar logback-core-1.3.12.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
58 CVE-2024-12798 logback-classic-1.2.13.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
59 CVE-2024-12798 logback-classic-1.3.12.jar MEDIUM 6.6 CVSS_3 Ignored Java This transitive test dependency is not shipped with the analyzers
60 WS-2022-0468 jackson-core-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only and is used to run the integration tests of plugins
61 CVE-2025-52999 jackson-core-2.13.2.jar HIGH 7.5 CVSS_3 Ignored Java The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator. This dependency is used only during compile and test time and is not included in the final scanner for Gradle product.