Skip to content

ci: bump sonarqube-scan-action to v6 (CVE-2025-59844)#1267

Merged
mathuo merged 1 commit into
masterfrom
ci/pin-sonar-action
May 12, 2026
Merged

ci: bump sonarqube-scan-action to v6 (CVE-2025-59844)#1267
mathuo merged 1 commit into
masterfrom
ci/pin-sonar-action

Conversation

@mathuo
Copy link
Copy Markdown
Owner

@mathuo mathuo commented May 12, 2026

Summary

  • Bumps sonarsource/sonarqube-scan-action from @v5 to @v6 in main.yml.
  • Fixes CVE-2025-59844 / GHSA-5xq9-5g24-4g6f — argument injection in the action. Vulnerable range >= 4.0.0, < 6.0.0, fixed in 6.0.0 (Sep 2025).
  • This is the only runtime-scope high-severity Dependabot alert against this repo.

Exploitability against this workflow

Bounded but worth fixing on principle:

  • The CVE specifically calls out Windows runners passing user-controlled input into the args: parameter; we run ubuntu-latest and don't set args:.
  • Still, "clear runtime-scope high-severity alerts" is the right baseline policy.

Breaking change check

v6.0.0 rewrote the action from Bash to JS and changes how args: is parsed. We don't set args:, so no migration is required. All env: (GITHUB_TOKEN, SONAR_TOKEN) and if: behavior is unchanged.

Test plan

  • sonar job runs successfully on this PR.
  • SonarCloud results appear on the PR as before.

🤖 Generated with Claude Code

@mathuo @claude
ci: bump sonarqube-scan-action to v6 to fix CVE-2025-59844
6861533 
GHSA-5xq9-5g24-4g6f: argument injection in
SonarSource/sonarqube-scan-action versions >= 4.0.0, < 6.0.0. Fixed in
6.0.0 (Sep 2025). We were pinned to @v5.

Practical exploitability against this workflow is bounded — we run on
ubuntu-latest (the CVE specifically calls out Windows runners) and do
not pass an `args:` input — but bumping to v6 is the cleanest way to
clear the Dependabot alert and is the only high-severity runtime-scope
finding on master.

v6.0.0 rewrote the action from Bash to JS, which changes how `args:` is
parsed. We don't set `args:`, so no migration is required for our usage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 12, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mathuo mathuo merged commit 5eb1346 into master May 12, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mathuo