Sonarqube Image Affected by log4j CVE-2021-44228 (log4shell)

While performing security scans on images that support big bang, we noticed that the sonarqube image used by this add-on package is still affected by log4shell CVE-2021-44228. Another version of the same sonarqube image in ironbank was patched in January 2022, but this one has not been updated since September 2021.

Is there a plan in place to update the big bang version of the sonarqube image?

Can the general ironbank version be used in its place or are there required big-bang-specific customizations in the big bang version?

Big bang sonarqube image:

• registry1.dso.mil/ironbank/big-bang/sonarqube:8.9-community
• updated 2021-09-16
• Contains CVE-2021-44228 and related CVE-2021-45046

General ironbank sonarqube image:

• registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube8-community:8.9-community
• updated 2022-01-22