UNCLASSIFIED - NO CUI

Skip to content

chore(findings): sonarsource/sonar-scanner-cli

Summary

sonarsource/sonar-scanner-cli has 149 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=sonarsource/sonar-scanner-cli&tag=11.5&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2023-2650 Anchore CVE Medium openssl-1:1.1.1k-14.el8_6 0.91970 false
CVE-2019-6110 Twistlock CVE Medium openssh-8.0p1-26.el8_10 0.45173 false
CVE-2019-6110 Anchore CVE Medium openssh-8.0p1-26.el8_10 0.45173 false
CVE-2019-6110 Anchore CVE Medium openssh-clients-8.0p1-26.el8_10 0.45173 false
CVE-2020-19188 Anchore CVE Low ncurses-6.1-10.20180224.el8 0.07292 false
CVE-2023-26136 Twistlock CVE Medium tough-cookie-2.5.0 0.06872 false
CVE-2020-19187 Anchore CVE Low ncurses-6.1-10.20180224.el8 0.04825 false
CVE-2020-19186 Anchore CVE Low ncurses-6.1-10.20180224.el8 0.04825 false
CVE-2020-19185 Anchore CVE Low ncurses-6.1-10.20180224.el8 0.04825 false
CVE-2020-19190 Anchore CVE Low ncurses-6.1-10.20180224.el8 0.04818 false
CVE-2024-29415 Twistlock CVE High ip-1.1.5 0.04030 false
CVE-2020-10543 Twistlock CVE Medium perl-0:5.26.3-423.el8_10 0.03944 false
CVE-2020-19189 Anchore CVE Low ncurses-6.1-10.20180224.el8 0.02546 false
CVE-2024-2511 Anchore CVE Low openssl-1:1.1.1k-14.el8_6 0.02173 false
CVE-2023-30589 Twistlock CVE Medium nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.01916 false
CVE-2023-30589 Anchore CVE Medium nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.01916 false
CVE-2023-30589 Anchore CVE Medium npm-1:6.14.18-1.14.21.3.1.module+el8.7.0+18531+81d21ca6 0.01916 false
CVE-2023-30589 Anchore CVE Medium nodejs-full-i18n-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.01916 false
CVE-2023-30589 Anchore CVE Medium nodejs-docs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.01916 false
CVE-2018-15919 Twistlock CVE Medium openssh-8.0p1-26.el8_10 0.01227 false
CVE-2018-15919 Anchore CVE Medium openssh-clients-8.0p1-26.el8_10 0.01227 false
CVE-2018-15919 Anchore CVE Medium openssh-8.0p1-26.el8_10 0.01227 false
CVE-2025-0938 Twistlock CVE Medium python3x-setuptools-50.3.2-7.module+el8.10.0+23406+03055bfb 0.01154 false
CVE-2025-0938 Twistlock CVE Medium python3x-pip-20.2.4-9.module+el8.10.0+21329+8d76b841 0.01154 false
CVE-2025-0938 Twistlock CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.01154 false
CVE-2025-0938 Anchore CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.01154 false
CVE-2025-0938 Anchore CVE Medium python39-libs-3.9.20-2.module+el8.10.0+23441+1124c1da 0.01154 false
CVE-2022-0391 Twistlock CVE Medium python3x-pip-20.2.4-9.module+el8.10.0+21329+8d76b841 0.00946 false
CVE-2022-0391 Twistlock CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00946 false
CVE-2022-0391 Twistlock CVE Medium python3x-setuptools-50.3.2-7.module+el8.10.0+23406+03055bfb 0.00946 false
CVE-2022-0391 Anchore CVE Medium python39-libs-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00946 false
CVE-2022-0391 Anchore CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00946 false
CVE-2023-0464 Anchore CVE Low openssl-1:1.1.1k-14.el8_6 0.00857 false
CVE-2023-0466 Anchore CVE Medium openssl-1:1.1.1k-14.el8_6 0.00666 false
CVE-2023-30590 Twistlock CVE Medium nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00637 false
CVE-2023-30590 Anchore CVE Medium npm-1:6.14.18-1.14.21.3.1.module+el8.7.0+18531+81d21ca6 0.00637 false
CVE-2023-30590 Anchore CVE Medium nodejs-full-i18n-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00637 false
CVE-2023-30590 Anchore CVE Medium nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00637 false
CVE-2023-30590 Anchore CVE Medium nodejs-docs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00637 false
CVE-2020-8201 Twistlock CVE Medium nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00632 false
CVE-2020-8201 Anchore CVE Medium nodejs-full-i18n-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00632 false
CVE-2020-8201 Anchore CVE Medium nodejs-docs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00632 false
CVE-2020-8201 Anchore CVE Medium nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00632 false
CVE-2020-8201 Anchore CVE Medium npm-1:6.14.18-1.14.21.3.1.module+el8.7.0+18531+81d21ca6 0.00632 false
CVE-2024-41996 Anchore CVE Low openssl-1:1.1.1k-14.el8_6 0.00446 false
CVE-2018-19217 Anchore CVE Medium ncurses-6.1-10.20180224.el8 0.00404 false
CVE-2023-42282 Twistlock CVE High ip-1.1.5 0.00397 false
CVE-2023-0465 Anchore CVE Low openssl-1:1.1.1k-14.el8_6 0.00387 false
CVE-2024-7592 Twistlock CVE Low python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00349 false
CVE-2024-7592 Twistlock CVE Low python3x-pip-20.2.4-9.module+el8.10.0+21329+8d76b841 0.00349 false
CVE-2024-7592 Twistlock CVE Low python3x-setuptools-50.3.2-7.module+el8.10.0+23406+03055bfb 0.00349 false
CVE-2024-7592 Anchore CVE Low python39-libs-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00349 false
CVE-2024-7592 Anchore CVE Low python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00349 false
CVE-2022-25883 Twistlock CVE Medium semver-5.7.1 0.00321 false
CVE-2018-1000021 Twistlock CVE Medium git-2.43.7-1.el8_10 0.00306 false
CVE-2018-1000021 Anchore CVE Medium git-core-doc-2.43.7-1.el8_10 0.00306 false
CVE-2018-1000021 Anchore CVE Medium git-core-2.43.7-1.el8_10 0.00306 false
CVE-2018-1000021 Anchore CVE Medium perl-Git-2.43.7-1.el8_10 0.00306 false
CVE-2018-1000021 Anchore CVE Medium git-2.43.7-1.el8_10 0.00306 false
CVE-2018-19211 Anchore CVE Low ncurses-6.1-10.20180224.el8 0.00278 false
CVE-2025-1795 Twistlock CVE Low python3x-pip-20.2.4-9.module+el8.10.0+21329+8d76b841 0.00236 false
CVE-2025-1795 Twistlock CVE Low python3x-setuptools-50.3.2-7.module+el8.10.0+23406+03055bfb 0.00236 false
CVE-2025-1795 Twistlock CVE Low python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00236 false
CVE-2025-1795 Anchore CVE Low python39-libs-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00236 false
CVE-2025-1795 Anchore CVE Low python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00236 false
CVE-2024-0397 Twistlock CVE Low python3x-setuptools-50.3.2-7.module+el8.10.0+23406+03055bfb 0.00226 false
CVE-2024-0397 Twistlock CVE Low python3x-pip-20.2.4-9.module+el8.10.0+21329+8d76b841 0.00226 false
CVE-2024-0397 Twistlock CVE Low python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00226 false
CVE-2024-0397 Anchore CVE Low python39-libs-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00226 false
CVE-2024-0397 Anchore CVE Low python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00226 false
CVE-2024-0727 Anchore CVE Low openssl-1:1.1.1k-14.el8_6 0.00224 false
CVE-2024-28863 Twistlock CVE Medium tar-4.4.19 0.00198 false
CVE-2020-12723 Twistlock CVE Medium perl-0:5.26.3-423.el8_10 0.00181 false
CVE-2024-4741 Anchore CVE Low openssl-1:1.1.1k-14.el8_6 0.00133 false
CVE-2024-21538 Twistlock CVE Low cross-spawn-5.1.0 0.00129 false
CVE-2022-48338 Twistlock CVE Medium emacs-1:26.1-15.el8_10 0.00119 false
CVE-2024-13176 Anchore CVE Low openssl-1:1.1.1k-14.el8_6 0.00118 false
CVE-2025-6069 Twistlock CVE Medium python3x-pip-20.2.4-9.module+el8.10.0+21329+8d76b841 0.00116 false
CVE-2025-6069 Twistlock CVE Medium python3x-setuptools-50.3.2-7.module+el8.10.0+23406+03055bfb 0.00116 false
CVE-2025-6069 Twistlock CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00116 false
CVE-2025-6069 Anchore CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00116 false
CVE-2025-6069 Anchore CVE Medium python39-libs-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00116 false
CVE-2020-10878 Twistlock CVE Medium perl-0:5.26.3-423.el8_10 0.00105 false
CVE-2025-8291 Twistlock CVE Medium python3x-pip-20.2.4-9.module+el8.10.0+21329+8d76b841 0.00073 false
CVE-2025-8291 Twistlock CVE Medium python3x-setuptools-50.3.2-7.module+el8.10.0+23406+03055bfb 0.00073 false
CVE-2025-8291 Twistlock CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00073 false
CVE-2025-8291 Anchore CVE Medium python39-libs-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00073 false
CVE-2025-8291 Anchore CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00073 false
CVE-2025-5318 Twistlock CVE Medium libssh-0.9.6-15.el8_10 0.00062 false
CVE-2025-5987 Twistlock CVE Medium libssh-0.9.6-15.el8_10 0.00058 false
CVE-2025-5987 Anchore CVE Medium libssh-config-0.9.6-15.el8_10 0.00058 false
CVE-2025-5987 Anchore CVE Medium libssh-0.9.6-15.el8_10 0.00058 false
CVE-2025-5372 Twistlock CVE Medium libssh-0.9.6-15.el8_10 0.00056 false
CVE-2025-5372 Anchore CVE Medium libssh-config-0.9.6-15.el8_10 0.00056 false
CVE-2025-5372 Anchore CVE Medium libssh-0.9.6-15.el8_10 0.00056 false
CVE-2025-7783 Twistlock CVE Medium form-data-2.3.3 See the impact section in the attached GHSA. 0.00052 false
CVE-2023-50495 Anchore CVE Low ncurses-6.1-10.20180224.el8 0.00051 false
CVE-2025-8277 Twistlock CVE Low libssh-0.9.6-15.el8_10 0.00050 false
CVE-2025-8277 Anchore CVE Low libssh-config-0.9.6-15.el8_10 0.00050 false
CVE-2025-8277 Anchore CVE Low libssh-0.9.6-15.el8_10 0.00050 false
CVE-2023-5752 Twistlock CVE Low pip-20.2.4 Only users using Mercurial VCS functionality with untrusted inputs are affected. 0.00044 false
CVE-2025-5351 Twistlock CVE Medium libssh-0.9.6-15.el8_10 0.00039 false
CVE-2025-5351 Anchore CVE Medium libssh-0.9.6-15.el8_10 0.00039 false
CVE-2025-5351 Anchore CVE Medium libssh-config-0.9.6-15.el8_10 0.00039 false
CVE-2025-32728 Twistlock CVE Medium openssh-8.0p1-26.el8_10 0.00030 false
CVE-2025-32728 Anchore CVE Medium openssh-clients-8.0p1-26.el8_10 0.00030 false
CVE-2025-32728 Anchore CVE Medium openssh-8.0p1-26.el8_10 0.00030 false
CVE-2025-5889 Twistlock CVE Low brace-expansion-1.1.11 Im mirroring the CVE severity assessment here. Sanitize strings being passed to the function so that they dont contain many , in a row. 0.00026 false
CVE-2023-30588 Twistlock CVE Medium nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00020 false
CVE-2023-30588 Anchore CVE Medium nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00020 false
CVE-2023-30588 Anchore CVE Medium nodejs-docs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00020 false
CVE-2023-30588 Anchore CVE Medium npm-1:6.14.18-1.14.21.3.1.module+el8.7.0+18531+81d21ca6 0.00020 false
CVE-2023-30588 Anchore CVE Medium nodejs-full-i18n-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00020 false
CVE-2025-8869 Twistlock CVE Medium pip-25.2 0.00018 false
CVE-2025-8869 Twistlock CVE Medium pip-20.2.4 0.00018 false
CVE-2025-8114 Twistlock CVE Medium libssh-0.9.6-15.el8_10 0.00018 false
CVE-2025-8114 Anchore CVE Medium libssh-0.9.6-15.el8_10 0.00018 false
CVE-2025-8114 Anchore CVE Medium libssh-config-0.9.6-15.el8_10 0.00018 false
CVE-2025-4878 Twistlock CVE Low libssh-0.9.6-15.el8_10 0.00018 false
CVE-2025-4878 Anchore CVE Low libssh-0.9.6-15.el8_10 0.00018 false
CVE-2025-4878 Anchore CVE Low libssh-config-0.9.6-15.el8_10 0.00018 false
CVE-2025-48386 Twistlock CVE Medium git-2.43.7-1.el8_10 0.00017 false
CVE-2025-48386 Anchore CVE Medium git-core-2.43.7-1.el8_10 0.00017 false
CVE-2025-48386 Anchore CVE Medium perl-Git-2.43.7-1.el8_10 0.00017 false
CVE-2025-48386 Anchore CVE Medium git-core-doc-2.43.7-1.el8_10 0.00017 false
CVE-2025-48386 Anchore CVE Medium git-2.43.7-1.el8_10 0.00017 false
CVE-2024-30204 Twistlock CVE Medium emacs-1:26.1-15.el8_10 0.00016 false
CVE-2023-30581 Twistlock CVE High nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00014 false
CVE-2023-30581 Anchore CVE High npm-1:6.14.18-1.14.21.3.1.module+el8.7.0+18531+81d21ca6 0.00014 false
CVE-2023-30581 Anchore CVE High nodejs-docs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00014 false
CVE-2023-30581 Anchore CVE High nodejs-full-i18n-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00014 false
CVE-2023-30581 Anchore CVE High nodejs-1:14.21.3-1.module+el8.7.0+18531+81d21ca6 0.00014 false
CVE-2025-61984 Twistlock CVE Medium openssh-8.0p1-26.el8_10 0.00013 false
CVE-2025-61984 Anchore CVE Medium openssh-8.0p1-26.el8_10 0.00013 false
CVE-2025-61984 Anchore CVE Medium openssh-clients-8.0p1-26.el8_10 0.00013 false
CVE-2025-4516 Twistlock CVE Medium python3x-setuptools-50.3.2-7.module+el8.10.0+23406+03055bfb 0.00013 false
CVE-2025-4516 Twistlock CVE Medium python3x-pip-20.2.4-9.module+el8.10.0+21329+8d76b841 0.00013 false
CVE-2025-4516 Twistlock CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00013 false
CVE-2025-4516 Anchore CVE Medium python39-libs-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00013 false
CVE-2025-4516 Anchore CVE Medium python39-3.9.20-2.module+el8.10.0+23441+1124c1da 0.00013 false
CVE-2025-61985 Twistlock CVE Medium openssh-8.0p1-26.el8_10 0.00012 false
CVE-2025-61985 Anchore CVE Medium openssh-8.0p1-26.el8_10 0.00012 false
CVE-2025-61985 Anchore CVE Medium openssh-clients-8.0p1-26.el8_10 0.00012 false
CVE-2025-40909 Twistlock CVE Medium perl-0:5.26.3-423.el8_10 0.00009 false
CVE-2023-51767 Anchore CVE Medium openssh-clients-8.0p1-26.el8_10 0.00008 false
CVE-2023-51767 Anchore CVE Medium openssh-8.0p1-26.el8_10 0.00008 false
PRISMA-2022-0168 Twistlock CVE High pip-25.2 N/A N/A
PRISMA-2022-0168 Twistlock CVE High pip-20.2.4 N/A N/A
GHSA-4xh5-x5gv-qwph Anchore CVE Medium pip-25.2 N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=sonarsource/sonar-scanner-cli&tag=11.5&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI