fix: upgrade sonarqube scan action to resolve security issue #154
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A command injection vulnerability, identified as CVE-2025-58178, was discovered in the SonarQube Scan GitHub Action versions 4 to 5.3.0. This vulnerability allows for potential execution of arbitrary commands due to untrusted input arguments being processed without proper sanitization. These arguments, when passed to the action, were treated as shell expressions, creating an exploitable pathway.
To mitigate this vulnerability, users are strongly advised to upgrade their SonarQube Scan GitHub Action to version 5.3.1 or higher. This patched version addresses the command injection issue by properly sanitizing input arguments. If a workflow uses dynamically computed arguments, it is additionally necessary to switch to using supported syntax for expressions within GitHub Actions. Workflows referencing sonarqube-scan-action@v5 will automatically utilize the patched version, requiring no further action.
The vulnerability is documented in the EUVD (EUVD-2025-26367) and is categorized under the MITRE ATT&CK technique T1202. While the technical details are not publicly available, the exploitability is considered easy, and attacking locally is a requirement. The fix for this vulnerability is also available as patch 016cabf33a6b7edf0733e179a03ad408ad4e88ba.
GHSA-f79p-9c5r-xg88