root
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

NO-JIRA Release SonarQube Community Build 25.10

This commit is contained in:
Lukasz Jarocki 2025-10-03 08:27:08 +02:00 committed by sonartech
parent ff0363f7c7
commit 77cb88192f
1 changed files with 51 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
sonar-application/src/main/assembly/security/CVE-review-and-treatment-status-sqcb.csv
View File

@ -1,66 +1,51 @@
Vulnerability ID,Library,Severity,CVSS,CVSS Type,Status,Library Type,Reason
CVE-2025-48924,commons-lang-2.6.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,SonarQube is not vulnerable because we do not use `ClassUtils.getClass()` method
CVE-2025-7969,markdown-it-14.1.0.tgz,LOW,0,CVSS_3,Ignored,javascript/Node.js,"SonarQube is not vulnerable to this issue as markdown-it is only used internally by eslint, no user input can be provided and no output is generated."
CVE-2025-26646,microsoft.build.tasks.core.17.7.2.nupkg,HIGH,8,CVSS_3,Ignored,Nuget,This transitive library is only used to compile test code samples
CVE-2025-26646,microsoft.build.tasks.core.17.13.9.nupkg,HIGH,8,CVSS_3,Ignored,Nuget,This transitive library is only used to compile test code samples
CVE-2024-38095,system.formats.asn1.7.0.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,This transitive library is only used to compile test code samples
CVE-2019-0820,system.text.regularexpressions.4.3.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,SonarQube is not vulnerable as the compiler will load the version already present on the user machine
CVE-2021-22570,google.protobuf.3.6.1.nupkg,MEDIUM,6.5,CVSS_3,Ignored,Nuget,The protobuf payload is both generated and consumed by the user of SonarQube . An external attacker would need already access to the machine to exploit this.
CVE-2018-8292,system.net.http.4.3.2.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"SonarQube is not vulnerable as we are referencing an unaffected version. This vulnerability is caused by the TestFramework SDK and, therefore, only used for testing. "
CVE-2024-38095,system.formats.asn1.5.0.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,This transitive library is only used to compile test code samples
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-47554,commons-io-2.7.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12801,logback-core-1.3.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798,logback-core-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798,logback-classic-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2025-52999,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator and is used only during compile and test time and is not included in the final Ruby Analyzer.
CVE-2025-48734,commons-beanutils-1.9.4.jar,HIGH,8.8,CVSS_3,Ignored,Java,SonarQube is not vulnerable because the library is used only within integration test code samples. This dependency is not included in the final Java Analyzer.
CVE-2025-52434,tomcat-embed-core-9.0.106.jar,HIGH,7.5,CVSS_3,Ignored,Java,"SonarQube is not vulnerable because the library is used only to transpile JSP files. This dependency is included in the final Java Analyzer, but not as a web server to respond to http requests."
CVE-2025-52520,tomcat-embed-core-9.0.106.jar,HIGH,7.5,CVSS_3,Ignored,Java,"SonarQube is not vulnerable because the library is used only to transpile JSP files. This dependency is included in the final Java Analyzer, but not as a web server to respond to http requests."
CVE-2025-53506,tomcat-embed-core-9.0.106.jar,HIGH,7.5,CVSS_3,Ignored,Java,"SonarQube is not vulnerable because the library is used only to transpile JSP files. This dependency is included in the final Java Analyzer, but not as a web server to respond to http requests."
WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-48924,commons-lang-2.6.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-52999,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-46122,io_2.13-1.6.0.jar,LOW,3.9,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2022-36944,scala-library-2.13.6.jar,CRITICAL,9.8,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers
CVE-2023-50572,jline-3.19.0.jar,MEDIUM,5.5,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product."
CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-47554,commons-io-2.7.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12801,logback-core-1.3.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798,logback-core-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798,logback-classic-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2025-52999,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator and is used only during compile and test time and is not included in the final scanner for Gradle product.
Vulnerability ID,Library,Library Type,CVSS,Status,Comments
CVE-2020-7598,minimist@1.2.0,JavaScript,5.6,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2021-3807,ansi-regex@3.0.0,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2021-3807,ansi-regex@5.0.0,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2021-3807,ansi-regex@2.1.1,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2021-44906,minimist@1.2.0,JavaScript,9.8,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-0155,follow-redirects@1.7.0,JavaScript,6.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-25881,http-cache-semantics@4.1.0,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-25883,semver@6.2.0,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-25883,semver@6.3.0,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-25883,semver@7.3.8,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2022-25883,semver@7.3.5,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2023-26136,tough-cookie@4.1.2,JavaScript,9.8,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2023-33201,bcpkix-jdk15on@1.70,Java,5.3,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2023-33201,bcprov-jdk15on@1.70,Java,5.3,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2023-33202,bcprov-jdk15on@1.70,Java,5.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2023-42282,ip@1.1.5,JavaScript,9.8,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2023-44270,postcss@8.4.24,JavaScript,5.3,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-28863,tar@6.1.11,JavaScript,6.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-29025,netty-codec-http@4.1.94.Final,Java,5.3,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-29415,ip@1.1.5,JavaScript,8.1,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-29857,bcprov-jdk15on@1.70,Java,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-30171,bcprov-jdk15on@1.70,Java,5.9,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-30172,bcprov-jdk15on@1.70,Java,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-37890,ws@8.11.0,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-4067,micromatch@4.0.4,JavaScript,5.3,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-4068,braces@3.0.2,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-45296,path-to-regexp@0.1.7,JavaScript,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-47535,netty-common@4.1.94.Final,Java,5.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-52798,path-to-regexp@0.1.7,JavaScript,7.7,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-55565,nanoid@3.3.6,JavaScript,4.3,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-55565,nanoid@3.3.7,JavaScript,4.3,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2024-57699,json-smart@2.5.0,Java,7.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-11226,logback-core@1.5.18,Java,,SAFE,SonarQube is not vulnerable because it requires privilege to modify a configuration parameter that is not exposed by SonarQube.
CVE-2025-22235,spring-boot@3.4.4,Java,7.3,SAFE,SonarQube is not vulnerable because it does not use the EndpointRequest.to() method
CVE-2025-24970,netty-handler@4.1.94.Final,Java,7.5,SAFE,"SonarQube is not vulnerable because the configuration controls do not permit the specific packet crafting required for exploitation."
CVE-2025-25193,netty-common@4.1.94.Final,Java,5.5,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-41248,spring-security-core@6.5.3,Java,7.5,SAFE,SonarQube is not vulnerable because it does not use @EnableMethodSecurity
CVE-2025-41249,spring-core@6.2.10,Java,7.5,SAFE,SonarQube is not vulnerable because it does not use @EnableMethodSecurity
CVE-2025-48050,dompurify@3.2.4,JavaScript,,SAFE,SonarQube is not vulnerable because this CVE affects a development-only script that is not used.
CVE-2025-48924,commons-lang@2.6,Java,6.5,SAFE,SonarQube is not vulnerable because it does not use `ClassUtils.getClass()` method
CVE-2025-53864,nimbus-jose-jwt@9.40,Java,5.8,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-58056,netty-codec-http@4.2.4.Final,Java,8.2,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-58056,netty-codec-http@4.2.2.Final,Java,8.2,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-58056,netty-codec-http@4.1.94.Final,Java,8.2,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-58057,netty-codec@4.1.94.Final,Java,6.9,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-58057,netty-codec-compression@4.2.4.Final,Java,6.9,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-58754,axios@1.11.0,JavaScript,7.5,SAFE,SonarQube is not vulerable because it does not use axios in a Node.js process
CVE-2025-59436,ip@1.1.5,JavaScript,,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-59437,ip@1.1.5,JavaScript,,SAFE,This transitive dependencies only used during tests and is not shipped with the product
CVE-2025-8916,bcpkix-jdk15on@1.70,Java,6.3,SAFE,This transitive dependencies only used during tests and is not shipped with the product
1 Vulnerability ID Library Severity Library Type CVSS CVSS Type Status Comments Reason
2 CVE-2025-48924 CVE-2020-7598 commons-lang-2.6.jar minimist@1.2.0 MEDIUM Java JavaScript 5.3 5.6 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product SonarQube is not vulnerable because we do not use `ClassUtils.getClass()` method
3 CVE-2025-7969 CVE-2021-3807 markdown-it-14.1.0.tgz ansi-regex@3.0.0 LOW javascript/Node.js JavaScript 0 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product SonarQube is not vulnerable to this issue as markdown-it is only used internally by eslint, no user input can be provided and no output is generated.
4 CVE-2025-26646 CVE-2021-3807 microsoft.build.tasks.core.17.7.2.nupkg ansi-regex@5.0.0 HIGH Nuget JavaScript 8 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples
5 CVE-2025-26646 CVE-2021-3807 microsoft.build.tasks.core.17.13.9.nupkg ansi-regex@2.1.1 HIGH Nuget JavaScript 8 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples
6 CVE-2024-38095 CVE-2021-44906 system.formats.asn1.7.0.0.nupkg minimist@1.2.0 HIGH Nuget JavaScript 7.5 9.8 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples
7 CVE-2019-0820 CVE-2022-0155 system.text.regularexpressions.4.3.0.nupkg follow-redirects@1.7.0 HIGH Nuget JavaScript 7.5 6.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product SonarQube is not vulnerable as the compiler will load the version already present on the user machine
8 CVE-2021-22570 CVE-2022-25881 google.protobuf.3.6.1.nupkg http-cache-semantics@4.1.0 MEDIUM Nuget JavaScript 6.5 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product The protobuf payload is both generated and consumed by the user of SonarQube . An external attacker would need already access to the machine to exploit this.
9 CVE-2018-8292 CVE-2022-25883 system.net.http.4.3.2.nupkg semver@6.2.0 HIGH Nuget JavaScript 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product SonarQube is not vulnerable as we are referencing an unaffected version. This vulnerability is caused by the TestFramework SDK and, therefore, only used for testing.
10 CVE-2024-38095 CVE-2022-25883 system.formats.asn1.5.0.0.nupkg semver@6.3.0 HIGH Nuget JavaScript 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples
11 CVE-2023-0833 CVE-2022-25883 okhttp-4.5.0.jar semver@7.3.8 MEDIUM Java JavaScript 4.7 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
12 CVE-2024-7254 CVE-2022-25883 protobuf-java-3.21.12.jar semver@7.3.5 HIGH Java JavaScript 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
13 CVE-2022-24329 CVE-2023-26136 kotlin-stdlib-1.3.70.jar tough-cookie@4.1.2 MEDIUM Java JavaScript 5.3 9.8 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
14 CVE-2020-29582 CVE-2023-33201 kotlin-stdlib-1.3.70.jar bcpkix-jdk15on@1.70 MEDIUM Java 5.3 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
15 CVE-2023-3635 CVE-2023-33201 okio-2.5.0.jar bcprov-jdk15on@1.70 MEDIUM Java 5.9 5.3 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
16 CVE-2023-3635 CVE-2023-33202 okio-jvm-3.0.0.jar bcprov-jdk15on@1.70 MEDIUM Java 5.9 5.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
17 CVE-2020-36518 CVE-2023-42282 jackson-databind-2.13.2.jar ip@1.1.5 HIGH Java JavaScript 7.5 9.8 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
18 CVE-2022-40152 CVE-2023-44270 woodstox-core-6.2.7.jar postcss@8.4.24 MEDIUM Java JavaScript 6.5 5.3 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
19 CVE-2022-42003 CVE-2024-28863 jackson-databind-2.13.2.jar tar@6.1.11 HIGH Java JavaScript 7.5 6.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
20 CVE-2024-47554 CVE-2024-29025 commons-io-2.7.jar netty-codec-http@4.1.94.Final MEDIUM Java 4.3 5.3 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
21 CVE-2022-42004 CVE-2024-29415 jackson-databind-2.13.2.jar ip@1.1.5 HIGH Java JavaScript 7.5 8.1 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
22 CVE-2024-12801 CVE-2024-29857 logback-core-1.2.13.jar bcprov-jdk15on@1.70 MEDIUM Java 4.4 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
23 CVE-2024-12801 CVE-2024-30171 logback-core-1.3.12.jar bcprov-jdk15on@1.70 MEDIUM Java 4.4 5.9 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
24 CVE-2024-12798 CVE-2024-30172 logback-core-1.3.12.jar bcprov-jdk15on@1.70 MEDIUM Java 6.6 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
25 CVE-2024-12798 CVE-2024-37890 logback-core-1.2.13.jar ws@8.11.0 MEDIUM Java JavaScript 6.6 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
26 CVE-2024-12798 CVE-2024-4067 logback-classic-1.3.12.jar micromatch@4.0.4 MEDIUM Java JavaScript 6.6 5.3 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
27 CVE-2024-12798 CVE-2024-4068 logback-classic-1.2.13.jar braces@3.0.2 MEDIUM Java JavaScript 6.6 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
28 WS-2022-0468 CVE-2024-45296 jackson-core-2.13.2.jar path-to-regexp@0.1.7 HIGH Java JavaScript 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
29 CVE-2025-52999 CVE-2024-47535 jackson-core-2.13.2.jar netty-common@4.1.94.Final HIGH Java 7.5 5.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator and is used only during compile and test time and is not included in the final Ruby Analyzer.
30 CVE-2025-48734 CVE-2024-52798 commons-beanutils-1.9.4.jar path-to-regexp@0.1.7 HIGH Java JavaScript 8.8 7.7 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product SonarQube is not vulnerable because the library is used only within integration test code samples. This dependency is not included in the final Java Analyzer.
31 CVE-2025-52434 CVE-2024-55565 tomcat-embed-core-9.0.106.jar nanoid@3.3.6 HIGH Java JavaScript 7.5 4.3 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product SonarQube is not vulnerable because the library is used only to transpile JSP files. This dependency is included in the final Java Analyzer, but not as a web server to respond to http requests.
32 CVE-2025-52520 CVE-2024-55565 tomcat-embed-core-9.0.106.jar nanoid@3.3.7 HIGH Java JavaScript 7.5 4.3 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product SonarQube is not vulnerable because the library is used only to transpile JSP files. This dependency is included in the final Java Analyzer, but not as a web server to respond to http requests.
33 CVE-2025-53506 CVE-2024-57699 tomcat-embed-core-9.0.106.jar json-smart@2.5.0 HIGH Java 7.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product SonarQube is not vulnerable because the library is used only to transpile JSP files. This dependency is included in the final Java Analyzer, but not as a web server to respond to http requests.
34 WS-2022-0468 CVE-2025-11226 jackson-core-2.13.2.jar logback-core@1.5.18 HIGH Java 7.5 CVSS_3 Ignored SAFE SonarQube is not vulnerable because it requires privilege to modify a configuration parameter that is not exposed by SonarQube. This transitive dependencies only used during tests and is not shipped with the product
35 CVE-2023-3635 CVE-2025-22235 okio-2.5.0.jar spring-boot@3.4.4 MEDIUM Java 5.9 7.3 CVSS_3 Ignored SAFE SonarQube is not vulnerable because it does not use the EndpointRequest.to() method This transitive dependencies only used during tests and is not shipped with the product
36 CVE-2022-42003 CVE-2025-24970 jackson-databind-2.13.2.jar netty-handler@4.1.94.Final HIGH Java 7.5 CVSS_3 Ignored SAFE SonarQube is not vulnerable because the configuration controls do not permit the specific packet crafting required for exploitation. This transitive dependencies only used during tests and is not shipped with the product
37 CVE-2025-48924 CVE-2025-25193 commons-lang-2.6.jar netty-common@4.1.94.Final MEDIUM Java 5.3 5.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive dependencies only used during tests and is not shipped with the product
38 CVE-2025-52999 CVE-2025-41248 jackson-core-2.13.2.jar spring-security-core@6.5.3 HIGH Java 7.5 CVSS_3 Ignored SAFE SonarQube is not vulnerable because it does not use @EnableMethodSecurity This transitive dependencies only used during tests and is not shipped with the product
39 CVE-2022-24329 CVE-2025-41249 kotlin-stdlib-1.3.70.jar spring-core@6.2.10 MEDIUM Java 5.3 7.5 CVSS_3 Ignored SAFE SonarQube is not vulnerable because it does not use @EnableMethodSecurity This transitive dependencies only used during tests and is not shipped with the product
40 CVE-2022-40152 CVE-2025-48050 woodstox-core-6.2.7.jar dompurify@3.2.4 MEDIUM Java JavaScript 6.5 CVSS_3 Ignored SAFE SonarQube is not vulnerable because this CVE affects a development-only script that is not used. This transitive dependencies only used during tests and is not shipped with the product
41 CVE-2020-36518 CVE-2025-48924 jackson-databind-2.13.2.jar commons-lang@2.6 HIGH Java 7.5 6.5 CVSS_3 Ignored SAFE SonarQube is not vulnerable because it does not use `ClassUtils.getClass()` method This transitive dependencies only used during tests and is not shipped with the product
42 CVE-2023-0833 CVE-2025-53864 okhttp-4.5.0.jar nimbus-jose-jwt@9.40 MEDIUM Java 4.7 5.8 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive dependencies only used during tests and is not shipped with the product
43 CVE-2022-42004 CVE-2025-58056 jackson-databind-2.13.2.jar netty-codec-http@4.2.4.Final HIGH Java 7.5 8.2 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive dependencies only used during tests and is not shipped with the product
44 CVE-2020-29582 CVE-2025-58056 kotlin-stdlib-1.3.70.jar netty-codec-http@4.2.2.Final MEDIUM Java 5.3 8.2 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive dependencies only used during tests and is not shipped with the product
45 CVE-2024-7254 CVE-2025-58056 protobuf-java-3.21.12.jar netty-codec-http@4.1.94.Final HIGH Java 7.5 8.2 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive test dependency is not shipped with the analyzers
46 CVE-2023-46122 CVE-2025-58057 io_2.13-1.6.0.jar netty-codec@4.1.94.Final LOW Java 3.9 6.9 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product.
47 CVE-2023-0833 CVE-2025-58057 okhttp-4.5.0.jar netty-codec-compression@4.2.4.Final MEDIUM Java 4.7 6.9 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive test dependency is not shipped with the analyzers
48 CVE-2022-36944 CVE-2025-58754 scala-library-2.13.6.jar axios@1.11.0 CRITICAL Java JavaScript 9.8 7.5 CVSS_3 Ignored SAFE SonarQube is not vulerable because it does not use axios in a Node.js process This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product.
49 CVE-2023-3635 CVE-2025-59436 okio-jvm-3.0.0.jar ip@1.1.5 MEDIUM Java JavaScript 5.9 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive test dependency is not shipped with the analyzers
50 CVE-2023-50572 CVE-2025-59437 jline-3.19.0.jar ip@1.1.5 MEDIUM Java JavaScript 5.5 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product.
51 CVE-2020-29582 CVE-2025-8916 kotlin-stdlib-1.3.70.jar bcpkix-jdk15on@1.70 MEDIUM Java 5.3 6.3 CVSS_3 Ignored SAFE This transitive dependencies only used during tests and is not shipped with the product This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-24329 kotlin-stdlib-1.3.70.jar MEDIUM Java 5.3 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2023-3635 okio-2.5.0.jar MEDIUM Java 5.9 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-42003 jackson-databind-2.13.2.jar HIGH Java 7.5 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-42004 jackson-databind-2.13.2.jar HIGH Java 7.5 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-47554 commons-io-2.7.jar MEDIUM Java 4.3 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2020-36518 jackson-databind-2.13.2.jar HIGH Java 7.5 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2022-40152 woodstox-core-6.2.7.jar MEDIUM Java 6.5 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12801 logback-core-1.3.12.jar MEDIUM Java 4.4 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798 logback-core-1.2.13.jar MEDIUM Java 6.6 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12801 logback-core-1.2.13.jar MEDIUM Java 4.4 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798 logback-core-1.3.12.jar MEDIUM Java 6.6 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798 logback-classic-1.2.13.jar MEDIUM Java 6.6 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2024-12798 logback-classic-1.3.12.jar MEDIUM Java 6.6 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
WS-2022-0468 jackson-core-2.13.2.jar HIGH Java 7.5 CVSS_3 Ignored This transitive library is only used to compile test code samples and is not shipped with the analyzer.
CVE-2025-52999 jackson-core-2.13.2.jar HIGH Java 7.5 CVSS_3 Ignored The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator and is used only during compile and test time and is not included in the final scanner for Gradle product.