SonarQube scanner action vulnerable on versions below v5.3.1

[ty2k]

FYI @ikethecoder:

Security Advisory: SonarQube Scanner GitHub Action

Usage in this repo:

I think this needs to be updated:

api-services-portal/.github/workflows/aps-cypress-e2e.yaml

Line 102 in f4a61d8

uses: sonarsource/sonarqube-scan-action@v3.1.0

I think this will automatically get the latest version:

api-services-portal/.github/workflows/ci-feat-sonar.yaml

Line 47 in f4a61d8

uses: sonarsource/sonarqube-scan-action@master

[ty2k]

The Cypress action might actually be okay based on this this new post

Hi all,

Thanks for your candid feedback, and sorry for the mystery. We’ve begun the process to file the CVE, and will report back as soon as we have a number. Unfortunately, we won’t be able to share anything more until we have that.

In the meantime - and without prematurely releasing sensitive details so that everyone has an opportunity to do the update - we can say we believe this is “high” severity. Versions since v4.0.0 are impacted.

(And we’ll be taking the learnings from this on board in our retrospective. They’ll definitely impact our operations going forward.)

Ann