Sonarqube Image Affected by log4j CVE-2021-44228 (log4shell)
While performing security scans on images that support big bang, we noticed that the sonarqube image used by this add-on package is still affected by log4shell CVE-2021-44228. Another version of the same sonarqube image in ironbank was patched in January 2022, but this one has not been updated since September 2021.
Is there a plan in place to update the big bang version of the sonarqube image?
Can the general ironbank version be used in its place or are there required big-bang-specific customizations in the big bang version?
Big bang sonarqube image:
- registry1.dso.mil/ironbank/big-bang/sonarqube:8.9-community
- updated 2021-09-16
- Contains CVE-2021-44228 and related CVE-2021-45046
General ironbank sonarqube image:
- registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube8-community:8.9-community
- updated 2022-01-22