UNCLASSIFIED - NO CUI

chore(findings): sonarsource/sonarqube/sonarqube

Summary

sonarsource/sonarqube/sonarqube has 72 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=sonarsource/sonarqube/sonarqube&tag=9.9.9-datacenter-app&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2024-22259 Twistlock CVE Low spring-core-5.3.28 0.55006 false
CVE-2024-22259 Anchore CVE High spring-core-5.3.28 0.55006 false
CVE-2024-24549 Anchore CVE High tomcat-embed-el-9.0.44 0.52453 false
CVE-2024-34750 Anchore CVE High tomcat-embed-el-9.0.44 0.17245 false
CVE-2024-38808 Twistlock CVE Low spring-core-5.3.28 0.00809 false
CVE-2024-38808 Anchore CVE Medium spring-core-5.3.28 0.00809 false
CVE-2024-23672 Anchore CVE Medium tomcat-embed-el-9.0.44 0.00577 false
CVE-2025-48989 Anchore CVE High tomcat-embed-el-9.0.44 0.00196 false
CVE-2024-52979 Twistlock CVE High org.elasticsearch_elasticsearch-7.17.15 0.00175 false
CVE-2025-55752 Anchore CVE High tomcat-embed-el-9.0.44 0.00171 false
CVE-2025-61795 Anchore CVE Medium tomcat-embed-el-9.0.44 0.00169 false
CVE-2025-1736 Anchore CVE High php-frontend-3.27.1.9352 0.00165 false
CVE-2025-1736 Anchore CVE High php-checks-3.27.1.9352 0.00165 false
CVE-2025-1861 Anchore CVE Critical php-checks-3.27.1.9352 0.00158 false
CVE-2025-1861 Anchore CVE Critical php-frontend-3.27.1.9352 0.00158 false
CVE-2025-53506 Anchore CVE High tomcat-embed-el-9.0.44 0.00144 false
CVE-2025-52434 Anchore CVE High tomcat-embed-el-9.0.44 0.00141 false
CVE-2025-48988 Anchore CVE High tomcat-embed-el-9.0.44 0.00124 false
CVE-2025-1217 Anchore CVE Low php-frontend-3.27.1.9352 0.00124 false
CVE-2025-1217 Anchore CVE Low php-checks-3.27.1.9352 0.00124 false
CVE-2025-6491 Anchore CVE Medium php-frontend-3.27.1.9352 0.00114 false
CVE-2025-6491 Anchore CVE Medium php-checks-3.27.1.9352 0.00114 false
CVE-2025-52520 Anchore CVE High tomcat-embed-el-9.0.44 0.00107 false
CVE-2025-49125 Anchore CVE High tomcat-embed-el-9.0.44 0.00091 false
CVE-2025-1734 Anchore CVE Medium php-checks-3.27.1.9352 0.00089 false
CVE-2025-1734 Anchore CVE Medium php-frontend-3.27.1.9352 0.00089 false
CVE-2025-41249 Twistlock CVE High spring-core-5.3.28 0.00080 false
CVE-2025-11226 Twistlock CVE Medium ch.qos.logback_logback-core-1.2.10 0.00071 false
CVE-2025-1735 Anchore CVE High php-frontend-3.27.1.9352 0.00059 false
CVE-2025-1735 Anchore CVE High php-checks-3.27.1.9352 0.00059 false
CVE-2025-58057 Twistlock CVE Medium io.netty_netty-codec-4.1.94.Final 0.00034 false
CVE-2025-37727 Twistlock CVE Medium org.elasticsearch_elasticsearch-7.17.15 0.00034 false
CVE-2025-53864 Twistlock CVE Medium com.nimbusds_nimbus-jose-jwt-9.23 0.00033 false
CVE-2025-52999 Twistlock CVE High com.fasterxml.jackson.core_jackson-core-2.14.1 0.00030 false
CVE-2025-52999 Twistlock CVE High com.fasterxml.jackson.core_jackson-core-2.14.2 0.00030 false
CVE-2025-46551 Twistlock CVE Low org.jruby_jruby-core-9.3.8.0 0.00026 false
CVE-2025-49124 Anchore CVE High tomcat-embed-el-9.0.44 0.00025 false
CVE-2025-58056 Twistlock CVE Low io.netty_netty-codec-http-4.1.94.Final 0.00024 false
CVE-2025-46701 Anchore CVE High tomcat-embed-el-9.0.44 0.00024 false
CVE-2025-22233 Twistlock CVE Low spring-context-5.3.28 0.00021 false
CVE-2023-50572 Anchore CVE Medium jline-2.14.6 0.00021 false
CVE-2025-55668 Anchore CVE Medium tomcat-embed-el-9.0.44 0.00015 false
CVE-2025-1220 Anchore CVE Medium php-frontend-3.27.1.9352 0.00015 false
CVE-2025-1220 Anchore CVE Medium php-checks-3.27.1.9352 0.00015 false
CVE-2025-48924 Twistlock CVE Medium org.apache.commons_commons-lang3-3.10 0.00014 false
CVE-2025-48924 Twistlock CVE Medium commons-lang_commons-lang-2.6 0.00014 false
CVE-2025-48924 Twistlock CVE Medium org.apache.commons_commons-lang3-3.12.0 0.00014 false
CVE-2025-1219 Anchore CVE Medium php-checks-3.27.1.9352 0.00013 false
CVE-2025-1219 Anchore CVE Medium php-frontend-3.27.1.9352 0.00013 false
GHSA-xwmg-2g98-w7v9 Anchore CVE Medium nimbus-jose-jwt-9.23 N/A N/A
GHSA-mm3m-5497-xggg Anchore CVE Medium elasticsearch-7.17.15 N/A N/A
GHSA-jmp9-x22r-554x Anchore CVE High spring-core-5.3.28 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.12.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.10 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.12.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.12.0 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang-2.6 N/A N/A
GHSA-h46c-h94j-95f3 Anchore CVE High jackson-core-2.14.1 N/A N/A
GHSA-h46c-h94j-95f3 Anchore CVE High jackson-core-2.14.2 N/A N/A
GHSA-fghv-69vj-qj49 Anchore CVE Low netty-codec-http-4.1.94.Final N/A N/A
GHSA-56r7-h6mw-rcfv Anchore CVE Medium elasticsearch-7.17.15 N/A N/A
GHSA-4wp7-92pw-q264 Anchore CVE Low spring-context-5.3.28 N/A N/A
GHSA-3p8m-j85q-pgmj Anchore CVE Medium netty-codec-4.1.94.Final N/A N/A
GHSA-3p8m-j85q-pgmj Anchore CVE Medium netty-codec-4.1.94.Final N/A N/A
GHSA-25qh-j22f-pwp8 Anchore CVE Medium logback-core-1.2.10 N/A N/A
GHSA-25qh-j22f-pwp8 Anchore CVE Medium logback-core-1.2.10 N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=sonarsource/sonarqube/sonarqube&tag=9.9.9-datacenter-app&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI