From 015eb1ed5885f7618f674dbf2321871de0f761fb Mon Sep 17 00:00:00 2001 From: Alain Kermis Date: Fri, 4 Jul 2025 15:42:35 +0200 Subject: SONAR-25445 Include CVE review and treatment file for SQCB 25.7 --- .../CVE-review-and-treatment-status-sqcb.csv | 97 +++++++++------------- 1 file changed, 41 insertions(+), 56 deletions(-) (limited to 'sonar-application/src') diff --git a/sonar-application/src/main/assembly/security/CVE-review-and-treatment-status-sqcb.csv b/sonar-application/src/main/assembly/security/CVE-review-and-treatment-status-sqcb.csv index 369505b7f79..76321e10cfc 100644 --- a/sonar-application/src/main/assembly/security/CVE-review-and-treatment-status-sqcb.csv +++ b/sonar-application/src/main/assembly/security/CVE-review-and-treatment-status-sqcb.csv @@ -1,76 +1,61 @@ Vulnerability ID,Library,Severity,CVSS,CVSS Type,Status,Library Type,Comment -CVE-2024-21538,cross-spawn-7.0.3.tgz,HIGH,7.5,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable to the ReDoS as this package is only used during the development and testing phases. CVE-2020-36843,eddsa-0.3.0.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,The transitive dependency has been removed. -CVE-2025-27789,runtime-7.21.5.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases. -CVE-2025-27789,runtime-7.18.9.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases. -CVE-2025-27789,runtime-7.16.3.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases. -CVE-2025-27789,runtime-7.17.8.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases. -CVE-2025-27789,runtime-7.16.5.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube does not use a replace method call with named groups with untrusted strings in both the sonar-enterprise and transitive sonarqube-webapp codebases. -CVE-2025-27789,helpers-7.25.6.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement -CVE-2025-27789,runtime-7.25.6.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,SonarQube is not vulnerable as it doesn't use untrusted strings in captured groups replacement -CVE-2024-43485,microsoft.codeanalysis.workspaces.msbuild.4.12.0-1.final.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system." +CVE-2025-49146,postgresql-42.7.6.jar,HIGH,8.2,CVSS_3,Ignored,Java,SonarQube is not vulnerable as it doesn't use channel binding set to required. +CVE-2025-41234,spring-web-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,"SonarQube is not vulnerable as it does not use ContentDisposition.Builder#filename(String, Charset)" CVE-2021-22570,google.protobuf.3.6.1.nupkg,MEDIUM,6.5,CVSS_3,Ignored,Nuget,The protobuf payload is both generated and consumed by the user of SonarQube . An external attacker would need already access to the machine to exploit this. -CVE-2018-8292,system.net.http.4.3.2.nupkg,MEDIUM,5.3,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system." CVE-2024-38081,microsoft.io.redist.6.0.0.nupkg,HIGH,7.3,CVSS_3,Ignored,Nuget,"This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as ""unproven""." +CVE-2025-26646,microsoft.build.tasks.core.17.10.4.nupkg,HIGH,8,CVSS_3,Ignored,Nuget,This dependency is only used for product unit testing and it's not included in the product package. +CVE-2025-26646,microsoft.build.tasks.core.17.7.2.nupkg,HIGH,8,CVSS_3,Ignored,Nuget,This dependency is only used for product unit testing and it's not included in the product package. CVE-2024-38095,system.formats.asn1.7.0.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This dependency is only used for product unit testing and it's not included in the product package. The CVE is registered as ""unproven""." -CVE-2019-0820,system.text.regularexpressions.4.3.0.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,The product package is not vulnerable as the compiler will load the version already present on the customer host. -CVE-2021-29425,commons-io-2.6.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -WS-2019-0379,commons-codec-1.11.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2024-43485,microsoft.codeanalysis.workspaces.msbuild.4.12.0-1.final.nupkg,HIGH,7.5,CVSS_3,Ignored,Nuget,"This library is used by the TestFramework and it's not included in the product package. The CVE is registered as ""unproven"". The risk is a DDoS on the test system." CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2020-15250,junit-4.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2023-6378,logback-classic-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2021-42550,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2021-42550,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2023-6481,logback-core-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-47554,commons-io-2.6.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"Ignoring alerts because this is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product." -CVE-2024-12798,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-12801,logback-core-1.2.0.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins +CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins +CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins +CVE-2024-47554,commons-io-2.7.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"This is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product." +CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-12798,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2024-12801,logback-core-1.3.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2024-12798,logback-core-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2024-12798,logback-classic-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-38827,spring-security-core-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar. -CVE-2024-38827,spring-security-ldap-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar. -CVE-2025-22228,spring-security-crypto-6.2.3.jar,HIGH,7.4,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar. -CVE-2024-38827,spring-security-crypto-6.2.3.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar. -CVE-2024-38829,spring-ldap-core-3.2.2.jar,LOW,3.7,CVSS_3,Ignored,Java,Only used in tests (java-checks-test-sources). Not packaged in the main jar. -CVE-2025-31650,tomcat-embed-core-9.0.100.jar,HIGH,7.5,CVSS_3,Ignored,Java,"SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests" -CVE-2025-31651,tomcat-embed-core-9.0.100.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,"SonarQube only uses tomcat to transpile Jsp files, it is not vulnerable to malicious Http requests" -CVE-2025-27789,runtime-7.26.7.tgz,MEDIUM,6.2,CVSS_3,Ignored,javascript/Node.js,"As described in CVE-2025-27789, SonarQube is not vulnerable because it is using @babel/core 7.27.10." +WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins +CVE-2025-52999,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator and is used only during compile and test time and is not included in the final Ruby Analyzer. +CVE-2025-48734,commons-beanutils-1.9.4.jar,HIGH,8.8,CVSS_3,Ignored,Java,commons-beanutils:commons-beanutils:1.9.4 is used only within integration tests and is not shipped in the final product +WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins -CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,Library okio-2.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either plugins -CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins -WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,Library okhttp-4.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins +CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins -CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins +CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,Library okio-2.5.0.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either plugins +CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,Library kotlin-stdlib-1.3.70.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins and is not included in either python plugins +CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2023-46122,io_2.13-1.6.0.jar,LOW,3.9,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product." +CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2022-36944,scala-library-2.13.6.jar,CRITICAL,9.8,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product." CVE-2023-3635,okio-jvm-3.0.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2020-15250,junit-4.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers CVE-2023-50572,jline-3.19.0.jar,MEDIUM,5.5,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product." -CVE-2023-6481,logback-core-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2022-36944,scala-library-2.13.6.jar,CRITICAL,9.8,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product." -CVE-2021-29425,commons-io-2.6.jar,MEDIUM,4.8,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers CVE-2020-29582,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2021-42550,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -WS-2019-0379,commons-codec-1.11.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers CVE-2022-24329,kotlin-stdlib-1.3.70.jar,MEDIUM,5.3,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2021-42550,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2023-0833,okhttp-4.5.0.jar,MEDIUM,4.7,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2023-46122,io_2.13-1.6.0.jar,LOW,3.9,CVSS_3,Ignored,Java,"This dependency is used by zinc that is used to build the analyzer, but it is not shipped with the product." -CVE-2023-6378,logback-classic-1.2.0.jar,HIGH,7.1,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-7254,protobuf-java-3.21.12.jar,HIGH,7.5,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-47554,commons-io-2.6.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"Ignoring alerts because this is a transitive dependency over the sonar-orchestrator library, which is only used for testing and is not shipped with the product." -CVE-2024-12798,logback-core-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-12801,logback-core-1.2.0.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2023-3635,okio-2.5.0.jar,MEDIUM,5.9,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2022-42003,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins +CVE-2022-42004,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins +CVE-2024-47554,commons-io-2.7.jar,MEDIUM,4.3,CVSS_3,Ignored,Java,"This is a transitive dependency used by the sonar-orchestrator library, which is only used for testing and is not shipped with the product." +CVE-2020-36518,jackson-databind-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-databind-2.13.2.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins +CVE-2022-40152,woodstox-core-6.2.7.jar,MEDIUM,6.5,CVSS_3,Ignored,Java,Library woodstox-core-6.2.7.jar is a transitive dependency of Orchestrator only used to run the integration tests of plugins +CVE-2024-12801,logback-core-1.3.12.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers CVE-2024-12798,logback-core-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-12798,logback-classic-1.2.0.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers -CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers \ No newline at end of file +CVE-2024-12801,logback-core-1.2.13.jar,MEDIUM,4.4,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2024-12798,logback-core-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2024-12798,logback-classic-1.2.13.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +CVE-2024-12798,logback-classic-1.3.12.jar,MEDIUM,6.6,CVSS_3,Ignored,Java,This transitive test dependency is not shipped with the analyzers +WS-2022-0468,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,Library jackson-core-2.13.2.jar is a transitive dependency of Orchestrator only and is used to run the integration tests of plugins +CVE-2025-52999,jackson-core-2.13.2.jar,HIGH,7.5,CVSS_3,Ignored,Java,The jackson-core-2.13.2.jar library is a transitive dependency of Orchestrator. This dependency is used only during compile and test time and is not included in the final scanner for Gradle product. \ No newline at end of file -- cgit v1.2.3