chore(findings): sonarsource/sonarqube/sonarqube
Summary
sonarsource/sonarqube/sonarqube has 113 new findings discovered during continuous monitoring.
id | source | severity | package |
---|---|---|---|
CVE-2021-42392 | Anchore CVE | Critical | h2-1.4.199 |
GHSA-4jrv-ppp4-jm57 | Anchore CVE | High | gson-2.8.5 |
CVE-2022-22968 | Anchore CVE | Medium | spring-core-5.2.13.release |
GHSA-4jrv-ppp4-jm57 | Anchore CVE | High | gson-2.6.2 |
GHSA-668q-qrv7-99fm | Anchore CVE | Medium | logback-core-1.2.3 |
GHSA-xqfj-vm6h-2x34 | Anchore CVE | High | commons-compress-1.20 |
GHSA-4jrv-ppp4-jm57 | Anchore CVE | High | gson-2.6.2 |
CVE-2021-22118 | Anchore CVE | High | spring-core-5.2.13.release |
CVE-2021-23463 | Anchore CVE | Critical | h2-1.4.199 |
CVE-2022-23708 | Anchore CVE | Medium | elasticsearch-7.16.2 |
GHSA-h4h5-3hr4-j3g2 | Anchore CVE | Medium | protobuf-java-3.11.4 |
CVE-2022-22950 | Anchore CVE | Medium | spring-core-5.2.13.release |
GHSA-wrvw-hg22-4m67 | Anchore CVE | High | protobuf-java-3.14.0 |
GHSA-4jrv-ppp4-jm57 | Anchore CVE | High | gson-2.6.2 |
GHSA-4jrv-ppp4-jm57 | Anchore CVE | High | gson-2.6.2 |
CVE-2022-22971 | Anchore CVE | Medium | spring-core-5.2.13.release |
GHSA-5mg8-w23w-74h3 | Anchore CVE | Low | guava-10.0.1 |
GHSA-4jrv-ppp4-jm57 | Anchore CVE | High | gson-2.8.6 |
GHSA-5mg8-w23w-74h3 | Anchore CVE | Low | guava-28.2-jre |
CVE-2022-23221 | Anchore CVE | Critical | h2-1.4.199 |
GHSA-crv7-7245-f45f | Anchore CVE | High | commons-compress-1.20 |
GHSA-4jrv-ppp4-jm57 | Anchore CVE | High | gson-2.7 |
GHSA-8489-44mv-ggj8 | Anchore CVE | Medium | log4j-core-2.17.0 |
GHSA-wrvw-hg22-4m67 | Anchore CVE | High | protobuf-java-3.8.0 |
CVE-2022-22970 | Anchore CVE | Medium | spring-core-5.2.13.release |
GHSA-mc84-pj99-q6hh | Anchore CVE | High | commons-compress-1.20 |
GHSA-4jrv-ppp4-jm57 | Anchore CVE | High | gson-2.8.5 |
GHSA-4jrv-ppp4-jm57 | Anchore CVE | High | gson-2.7 |
GHSA-7hfm-57qf-j43q | Anchore CVE | High | commons-compress-1.20 |
CVE-2021-22060 | Anchore CVE | Medium | spring-core-5.2.13.release |
GHSA-wrvw-hg22-4m67 | Anchore CVE | High | protobuf-java-3.8.0 |
GHSA-wrvw-hg22-4m67 | Anchore CVE | High | protobuf-java-3.14.0 |
CVE-2021-22096 | Anchore CVE | Medium | spring-core-5.2.13.release |
GHSA-wrvw-hg22-4m67 | Anchore CVE | High | protobuf-java-3.14.0 |
GHSA-wrvw-hg22-4m67 | Anchore CVE | High | protobuf-java-3.14.0 |
GHSA-3f7h-mf4q-vrm4 | Anchore CVE | Low | woodstox-core-5.2.0 |
CVE-2022-45868 | Anchore CVE | High | h2-1.4.199 |
GHSA-g5ww-5jh7-63cx | Anchore CVE | High | protobuf-java-3.11.4 |
GHSA-g5ww-5jh7-63cx | Anchore CVE | High | protobuf-java-3.21.0 |
GHSA-g5ww-5jh7-63cx | Anchore CVE | High | protobuf-java-3.8.0 |
GHSA-g5ww-5jh7-63cx | Anchore CVE | High | protobuf-java-3.8.0 |
GHSA-4gg5-vx3j-xwc7 | Anchore CVE | High | protobuf-java-3.8.0 |
GHSA-4gg5-vx3j-xwc7 | Anchore CVE | High | protobuf-java-3.8.0 |
GHSA-4gg5-vx3j-xwc7 | Anchore CVE | High | protobuf-java-3.21.0 |
GHSA-4gg5-vx3j-xwc7 | Anchore CVE | High | protobuf-java-3.11.4 |
GHSA-xmc8-26q4-qjhx | Anchore CVE | High | jackson-dataformat-cbor-2.10.4 |
CVE-2023-20861 | Anchore CVE | Medium | spring-core-5.2.13.release |
GHSA-4gg5-vx3j-xwc7 | Anchore CVE | High | protobuf-java-3.21.0 |
GHSA-mjmj-j48q-9wg2 | Anchore CVE | High | snakeyaml-1.33 |
GHSA-g5ww-5jh7-63cx | Anchore CVE | High | protobuf-java-3.21.0 |
GHSA-c5hg-mr8r-f6jp | Anchore CVE | Critical | hazelcast-4.2 |
GHSA-v57x-gxfj-484q | Anchore CVE | Critical | hazelcast-4.2 |
CVE-2021-44832 | Anchore CVE | Medium | log4j-to-slf4j-2.17.0 |
GHSA-5mg8-w23w-74h3 | Anchore CVE | Low | guava-28.2-jre |
GHSA-668q-qrv7-99fm | Anchore CVE | Medium | logback-core-1.2.3 |
GHSA-3vqj-43w4-2q58 | Anchore CVE | High | json-20201115 |
CVE-2023-20863 | Anchore CVE | Medium | spring-core-5.2.13.release |
CVE-2023-27043 | Anchore CVE | Medium | python-checks-3.4.1.8066 |
CVE-2023-27043 | Anchore CVE | Medium | python-frontend-3.4.1.8066 |
GHSA-5gj6-62g7-vmgf | Anchore CVE | Medium | hazelcast-4.2 |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-30.1.1-jre |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-30.1.1-jre |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-30.1.1-jre |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-30.1.1-jre |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-30.1.1-jre |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-28.2-jre |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-30.1.1-jre |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-10.0.1 |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-28.2-jre |
GHSA-6mjq-h674-j845 | Anchore CVE | Medium | netty-handler-4.1.66.Final |
GHSA-v57x-gxfj-484q | Twistlock CVE | Critical | com.hazelcast_hazelcast-4.2 |
PRISMA-2022-0239 | Twistlock CVE | High | com.squareup.okhttp3_okhttp-3.13.1 |
PRISMA-2022-0239 | Twistlock CVE | High | com.squareup.okhttp3_okhttp-3.14.2 |
CVE-2021-36090 | Twistlock CVE | High | org.apache.commons_commons-compress-1.20 |
CVE-2021-35517 | Twistlock CVE | High | org.apache.commons_commons-compress-1.20 |
CVE-2021-35516 | Twistlock CVE | High | org.apache.commons_commons-compress-1.20 |
CVE-2021-35515 | Twistlock CVE | High | org.apache.commons_commons-compress-1.20 |
CVE-2021-44832 | Twistlock CVE | Medium | org.apache.logging.log4j_log4j-core-2.17.0 |
CVE-2021-42550 | Twistlock CVE | Medium | ch.qos.logback_logback-core-1.2.3 |
CVE-2022-3509 | Twistlock CVE | High | com.google.protobuf_protobuf-java-3.8.0 |
CVE-2022-3509 | Twistlock CVE | High | com.google.protobuf_protobuf-java-3.11.4 |
CVE-2022-3509 | Twistlock CVE | High | com.google.protobuf_protobuf-java-3.21.0 |
CVE-2022-41881 | Twistlock CVE | High | io.netty_netty-codec-4.1.66 |
CVE-2022-3510 | Twistlock CVE | High | com.google.protobuf_protobuf-java-3.8.0 |
CVE-2022-3510 | Twistlock CVE | High | com.google.protobuf_protobuf-java-3.11.4 |
CVE-2022-3510 | Twistlock CVE | High | com.google.protobuf_protobuf-java-3.21.0 |
CVE-2022-36437 | Twistlock CVE | Critical | com.hazelcast_hazelcast-4.2 |
CVE-2022-1471 | Twistlock CVE | Critical | org.yaml_snakeyaml-1.26 |
CVE-2022-22965 | Twistlock CVE | Critical | spring-core-5.2.13 |
CVE-2022-23221 | Twistlock CVE | Critical | h2-1.4.199 |
CVE-2022-22965 | Twistlock CVE | Critical | spring-beans-5.2.13 |
CVE-2021-42392 | Twistlock CVE | Critical | h2-1.4.199 |
CVE-2021-22118 | Twistlock CVE | High | spring-core-5.2.13 |
CVE-2022-31197 | Twistlock CVE | High | org.postgresql_postgresql-42.3.3 |
CVE-2021-23463 | Twistlock CVE | High | h2-1.4.199 |
CVE-2023-20861 | Twistlock CVE | Medium | spring-core-5.2.13 |
CVE-2022-22971 | Twistlock CVE | Medium | spring-core-5.2.13 |
CVE-2022-22950 | Twistlock CVE | Medium | spring-core-5.2.13 |
CVE-2022-22970 | Twistlock CVE | Medium | spring-core-5.2.13 |
CVE-2022-23708 | Twistlock CVE | Medium | elasticsearch-7.16.2 |
CVE-2021-22096 | Twistlock CVE | Medium | spring-core-5.2.13 |
CVE-2021-22060 | Twistlock CVE | Medium | spring-core-5.2.13 |
CVE-2022-41946 | Twistlock CVE | Medium | org.postgresql_postgresql-42.3.3 |
CVE-2022-22950 | Twistlock CVE | Medium | spring-expression-5.2.13 |
CVE-2023-20863 | Twistlock CVE | Medium | spring-core-5.2.13 |
PRISMA-2023-0067 | Twistlock CVE | High | com.fasterxml.jackson.core_jackson-core-2.12.1 |
PRISMA-2023-0067 | Twistlock CVE | High | com.fasterxml.jackson.core_jackson-core-2.10.4 |
CVE-2022-1471 | Twistlock CVE | Critical | org.yaml_snakeyaml-1.33 |
CVE-2023-33264 | Twistlock CVE | Medium | com.hazelcast_hazelcast-4.2 |
CVE-2023-2976 | Twistlock CVE | Medium | com.google.guava_guava-10.0.1 |
CVE-2023-2976 | Twistlock CVE | Medium | com.google.guava_guava-28.2 |
CVE-2023-2976 | Twistlock CVE | Medium | com.google.guava_guava-30.1.1 |
CVE-2023-34462 | Twistlock CVE | Medium | io.netty_netty-handler-4.1.66 |
VAT: https://vat.dso.mil/vat/image?imageName=sonarsource/sonarqube/sonarqube&tag=8.9.10-developer&branch=master
More information can be found in the failed pipeline located here: https://repo1.dso.mil/dsop/sonarsource/sonarqube/sonarqube8-developer/-/jobs/14671547
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the ~"Hardening::Approval" label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications -
Send approval request to Authorizing Official -
Close issue after approval from Authorizing Official
Note: If the above approval process is rejected for any reason, the
Approval
label will be removed and the issue will be sent back toOpen
. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theApproval
label.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding
.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.