Apply mitigation for CVE-2021-44228

Mitigation documented here; https://logging.apache.org/log4j/2.x/security.html

Signed-off-by: Wade Barnes <[email protected]>

Dockerfile

@@ -3,7 +3,7 @@ FROM sonarqube:8-community
 MAINTAINER Erik Jacobs <[email protected]>
 MAINTAINER Siamak Sadeghianfar <[email protected]>
 MAINTAINER Roland Stens ([email protected])
-MAINTAINER Wade Barnes (wade.barnes@shaw.ca)
+MAINTAINER Wade Barnes (wade@neoterictech.ca)
 MAINTAINER Emiliano Sune ([email protected])
 MAINTAINER Alejandro Sanchez ([email protected])
 
@@ -21,6 +21,14 @@ LABEL summary="$SUMMARY" \
 # Define Plug-in Versions
 ARG SONAR_ZAP_PLUGIN_VERSION=1.2.0
 ENV SONARQUBE_PLUGIN_DIR="$SONARQUBE_HOME/extensions/plugins"
+# ===============================================================================================
+# Mitigation for CVE-2021-44228
+#
+# References:
+#   - https://logging.apache.org/log4j/2.x/security.html
+# -----------------------------------------------------------------------------------------------
+ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true
+# ===============================================================================================
 
 # Switch to root for package installs
 USER 0

sonarqube-postgresql-template.yaml

@@ -200,6 +200,8 @@ objects:
                   value: sonar
                 - name: SONAR_FORCEAUTHENTICATION
                   value: "true"
+                - name: LOG4J_FORMAT_MSG_NO_LOOKUPS
+                  value: "true"
               volumeMounts:
                 - mountPath: /opt/sonarqube/data
                   name: sonar-data