UNCLASSIFIED - NO CUI

Skip to content

chore(findings): sonarsource/sonarqube/sonarqube

Summary

sonarsource/sonarqube/sonarqube has 63 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=sonarsource/sonarqube/sonarqube&tag=2025.1.4-developer&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2025-31650 Anchore CVE High tomcat-embed-el-9.0.98 0.04536 false
CVE-2025-52520 Anchore CVE High tomcat-embed-el-9.0.98 0.00226 false
CVE-2025-48989 Anchore CVE High tomcat-embed-el-9.0.98 0.00207 false
CVE-2024-12539 Twistlock CVE Medium org.elasticsearch_elasticsearch-8.16.1 0.00207 false
CVE-2025-52434 Anchore CVE High tomcat-embed-el-9.0.98 0.00182 false
CVE-2025-53506 Anchore CVE High tomcat-embed-el-9.0.98 0.00170 false
CVE-2025-48988 Anchore CVE High tomcat-embed-el-9.0.98 0.00082 false
CVE-2025-55163 Twistlock CVE High io.netty_netty-codec-http2-4.1.115.Final 0.00081 false
CVE-2025-49125 Anchore CVE High tomcat-embed-el-9.0.98 0.00074 false
CVE-2025-48924 Twistlock CVE Medium org.apache.commons_commons-lang3-3.16.0 0.00066 false
CVE-2025-48924 Twistlock CVE Medium commons-lang_commons-lang-2.6 0.00066 false
CVE-2025-48924 Twistlock CVE Medium org.apache.commons_commons-lang3-3.17.0 0.00066 false
CVE-2025-48924 Twistlock CVE Medium org.apache.commons_commons-lang3-3.14.0 0.00066 false
CVE-2025-8885 Twistlock CVE Medium org.bouncycastle_bc-fips-1.0.2.4 0.00063 false
CVE-2025-41249 Twistlock CVE High spring-core-6.2.1 0.00056 false
CVE-2025-53864 Twistlock CVE Medium com.nimbusds_nimbus-jose-jwt-9.37.3 0.00050 false
CVE-2025-53864 Twistlock CVE Medium com.nimbusds_nimbus-jose-jwt-9.40 0.00050 false
CVE-2025-46551 Twistlock CVE Low org.jruby_jruby-core-9.4.8.0 0.00043 false
CVE-2025-11226 Twistlock CVE Medium ch.qos.logback_logback-core-1.5.13 0.00037 false
CVE-2025-22233 Twistlock CVE Low spring-context-6.2.1 0.00036 false
CVE-2025-58057 Twistlock CVE Medium io.netty_netty-codec-4.1.115.Final 0.00033 false
CVE-2025-49124 Anchore CVE High tomcat-embed-el-9.0.98 0.00033 false
CVE-2025-58056 Twistlock CVE Low io.netty_netty-codec-http-4.1.115.Final 0.00026 false
CVE-2025-52999 Twistlock CVE High com.fasterxml.jackson.core_jackson-core-2.14.2 0.00023 false
CVE-2025-49146 Twistlock CVE High org.postgresql_postgresql-42.7.4 0.00023 false
CVE-2025-37727 Twistlock CVE Medium org.elasticsearch_elasticsearch-8.16.1 0.00022 false
CVE-2023-50572 Anchore CVE Medium jline-2.14.6 0.00021 false
CVE-2025-46701 Anchore CVE High tomcat-embed-el-9.0.98 0.00019 false
CVE-2025-55668 Anchore CVE Medium tomcat-embed-el-9.0.98 0.00015 false
CVE-2025-61795 Anchore CVE Medium tomcat-embed-el-9.0.98 N/A false
CVE-2025-55752 Anchore CVE High tomcat-embed-el-9.0.98 N/A false
GHSA-xwmg-2g98-w7v9 Anchore CVE Medium nimbus-jose-jwt-9.40 N/A N/A
GHSA-xwmg-2g98-w7v9 Anchore CVE Medium nimbus-jose-jwt-9.37.3 N/A N/A
GHSA-prj3-ccx8-p6x4 Anchore CVE High netty-codec-http2-4.1.115.Final N/A N/A
GHSA-jmp9-x22r-554x Anchore CVE High spring-core-6.2.1 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.14.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.17.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.16.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.14.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.14.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.16.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.14.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.14.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.17.0 N/A N/A
GHSA-hq9p-pm7w-8p54 Anchore CVE High postgresql-42.7.4 N/A N/A
GHSA-h46c-h94j-95f3 Anchore CVE High jackson-core-2.14.2 N/A N/A
GHSA-fghv-69vj-qj49 Anchore CVE Low netty-codec-http-4.1.115.Final N/A N/A
GHSA-fghv-69vj-qj49 Anchore CVE Low netty-codec-http-4.1.115.Final N/A N/A
GHSA-fghv-69vj-qj49 Anchore CVE Low netty-codec-http-4.1.115.Final N/A N/A
GHSA-67mf-3cr5-8w23 Anchore CVE Medium bc-fips-1.0.2.4 N/A N/A
GHSA-5mpw-4546-2wcr Anchore CVE Medium elasticsearch-8.16.1 N/A N/A
GHSA-56r7-h6mw-rcfv Anchore CVE Medium elasticsearch-8.16.1 N/A N/A
GHSA-4wp7-92pw-q264 Anchore CVE Low spring-context-6.2.1 N/A N/A
GHSA-4cx2-fc23-5wg6 Anchore CVE Medium bcpkix-jdk18on-1.78.1 N/A N/A
GHSA-3p8m-j85q-pgmj Anchore CVE Medium netty-codec-4.1.115.Final N/A N/A
GHSA-3p8m-j85q-pgmj Anchore CVE Medium netty-codec-4.1.115.Final N/A N/A
GHSA-3p8m-j85q-pgmj Anchore CVE Medium netty-codec-4.1.115.Final N/A N/A
GHSA-25qh-j22f-pwp8 Anchore CVE Medium logback-core-1.5.13 N/A N/A
GHSA-25qh-j22f-pwp8 Anchore CVE Medium logback-core-1.5.13 N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=sonarsource/sonarqube/sonarqube&tag=2025.1.4-developer&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by Matteo Mara
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI