Giter Club home page Giter Club logo

Comments (6)

gtoison avatar gtoison commented on July 17, 2024 1

Yes, it's a transitive dependency of SpotBugs so the plugin bundles it.
When the plugin is executed (on the server or on the analyzer), sonar unpacks the dependencies
This should be solved once the plugin upgrades to SpotBugs 4.7.3 and is released, I'm planning to do that soon

from sonar-findbugs.

gtoison avatar gtoison commented on July 17, 2024 1

Here's how it works:

  • Someone installed the plugin on your sonarqube plugin, probably from the marketplace
  • When someone runs the sonarscanner it downloads the plugin from your server
  • Sonarscanner unpacks the plugin (and its bundled dependencies) locally in a temporary folder to execute it during the analysis

It's hard to say whether SpotBugs uses StringSubstitutor but if you're concerned the safest thing is probably to upgrade.

I've just released version 4.2.2 of the plugin, it uses SpotBugs 4.7.3 which is on commons-text 1.10.0
Once it is approved by sonarsource you (or someone with admin rights on your sonarqube server) should be able to upgrade from the "Administration" / "Marketplace" page of the sonarqube server
Then on the next analysis the scanner will pick up that updated version from your server

from sonar-findbugs.

gtoison avatar gtoison commented on July 17, 2024 1

Version 4.2.2 is available from the marketplace so you should be able to update

from sonar-findbugs.

thinksabin avatar thinksabin commented on July 17, 2024

Hi @gtoison
Thank you for your quick reply.
Sorry, I still dont have clarity :(
So is this related to sonar-findbug plugin in the sonarqube server not the sonarscanner?
Im using sonarqube 8.8 and When I looked in the sonarqube server extensions in path /opt/sonarqube/lib/common, I couldnt find the sonar-findbugs jar file there. Do you know which jar file it is ?

Does SpotBugs use the StringSubstitutor module of commons-text?

When the SpotBugs 4.7.3 plugin is released do we have to do anything on the sonarqube server or sonarscanner?

Thanks

from sonar-findbugs.

thinksabin avatar thinksabin commented on July 17, 2024

Thank you for the details and updated version. :)

from sonar-findbugs.

gtoison avatar gtoison commented on July 17, 2024

I'll close this now since the new release no longer bundles the vulnerable commons-text version.

from sonar-findbugs.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.