Comments (6)
Yes, it's a transitive dependency of SpotBugs so the plugin bundles it.
When the plugin is executed (on the server or on the analyzer), sonar unpacks the dependencies
This should be solved once the plugin upgrades to SpotBugs 4.7.3 and is released, I'm planning to do that soon
from sonar-findbugs.
Here's how it works:
- Someone installed the plugin on your sonarqube plugin, probably from the marketplace
- When someone runs the sonarscanner it downloads the plugin from your server
- Sonarscanner unpacks the plugin (and its bundled dependencies) locally in a temporary folder to execute it during the analysis
It's hard to say whether SpotBugs uses StringSubstitutor but if you're concerned the safest thing is probably to upgrade.
I've just released version 4.2.2 of the plugin, it uses SpotBugs 4.7.3 which is on commons-text 1.10.0
Once it is approved by sonarsource you (or someone with admin rights on your sonarqube server) should be able to upgrade from the "Administration" / "Marketplace" page of the sonarqube server
Then on the next analysis the scanner will pick up that updated version from your server
from sonar-findbugs.
Version 4.2.2 is available from the marketplace so you should be able to update
from sonar-findbugs.
Hi @gtoison
Thank you for your quick reply.
Sorry, I still dont have clarity :(
So is this related to sonar-findbug plugin in the sonarqube server not the sonarscanner?
Im using sonarqube 8.8 and When I looked in the sonarqube server extensions in path /opt/sonarqube/lib/common, I couldnt find the sonar-findbugs jar file there. Do you know which jar file it is ?
Does SpotBugs use the StringSubstitutor module of commons-text?
When the SpotBugs 4.7.3 plugin is released do we have to do anything on the sonarqube server or sonarscanner?
Thanks
from sonar-findbugs.
Thank you for the details and updated version. :)
from sonar-findbugs.
I'll close this now since the new release no longer bundles the vulnerable commons-text version.
from sonar-findbugs.
Related Issues (20)
- Findbugs is reporting false positive bugs in test code HOT 10
- Is sonar-findbugs compatible with Sonarqube 10.x HOT 9
- sonarqube displays errors from a profile that is not assigned to the project HOT 2
- Crowd username changes - impact on sonar-findbbugs plugin HOT 2
- FindBug Rules are triggered for Quality PRofile Kotlin and XML HOT 2
- SonarQube Project showing an issue from a Java findbugs rule which is not there in the selected Quality Profile HOT 7
- SonarQube fails with Java 17 HOT 8
- Spike in SonarQube Findings HOT 2
- Support Java 21 (Unsupported class file major version 65) HOT 3
- Dependency Dashboard
- Findbugs timeout issue HOT 6
- new option to analyze tests HOT 2
- Update PAT_TO_FORK HOT 6
- Findbugs is reporting false positive bugs SA_LOCAL_SELF_COMPARISON when using instanceof pattern matching HOT 13
- Integration tests occassionally fail due to errors accessing the jfrog repo HOT 1
- Make "sonar-findbugs" compatible with SonarQube 10.4 "DownloadOnlyWhenRequired" feature HOT 2
- Encountering several errors related to the FindBugs plugin while running a build on Bamboo. HOT 15
- v4.2.8 is missing a release artifact HOT 1
- java.lang.IllegalArgumentException: Error: missing bug code for keySECXXEVAL HOT 5
- Getting "Hard coded password found here" exception where (IMHO) it shouldn't HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sonar-findbugs.