search

SonarSource / docker-sonarqube

:whale: SonarQube in Docker
https://hub.docker.com/_/sonarqube/
GNU Lesser General Public License v3.0
1.38k stars 1.02k forks source link

Critical vulnerabilities with packages org.yaml/snakeyaml v1.33 and org.apache.sshd/sshd-common v2.8.0 #620

Closed grantg22 closed 1 year ago

grantg22 commented 1 year ago

Upon downloading the lts and latest docker images there are currently two critical vulnerabilities in both relating to the packages org.yaml/snakeyaml version 1.33 and org.apache.sshd/sshd-common version 2.8.0.

It looks as if this issue can be resolved by updating the packages to the following versions if possible:

org.yaml/snakeyaml -> version 2.0 org.apache.sshd/sshd-common -> version 2.9.2

The Docker Image Vulnerability Database can be referenced at the links below.

sonarqube:lts sonarqube:latest

jCOTINEAU commented 1 year ago

hello @grantg22 thanks a lot for taking the time to participate in the community.

Those vulnerability come from the SonarQube dependencies and not from the Dockerfile system setup on top of it.

The SonarQube team monitor and updates those kind of vulnerabilities, if this is still relevant and has not been fixed in the latest SonarQube version, please open a thread directly on the community forum

Based on that i will close this issue.

Thanks a lot again.