From f57318d8cc7f886887fe864fc79c487e7f7143c6 Mon Sep 17 00:00:00 2001
From: Catherine Redfield <catherine.redfield@chainguard.dev>
Date: Thu, 13 Nov 2025 14:14:36 -0500
Subject: [PATCH] doc(sonarqube): GHSA-m494-w24q-6f7w

False positive due to mssql-jdbc versioning structure similar to
https://github.com/wolfi-dev/advisories/pull/25255

Relates: https://github.com/chainguard-dev/CVE-Dashboard/issues/35920
---
 sonarqube.advisories.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/sonarqube.advisories.yaml b/sonarqube.advisories.yaml
index 42ee169702..30adbaabe2 100644
--- a/sonarqube.advisories.yaml
+++ b/sonarqube.advisories.yaml
@@ -441,6 +441,13 @@ advisories:
             componentType: java-archive
             componentLocation: /usr/share/sonarqube/lib/jdbc/mssql/mssql-jdbc-13.2.1.jre11.jar
             scanner: grype
+      - timestamp: 2025-11-13T19:06:29Z
+        type: false-positive-determination
+        data:
+          type: vulnerable-code-not-included-in-package
+          note: |
+            The affected component's suffix is non-standard for Maven parsing. It supports "." as a delimiter, but treats jre11 as an unknown qualifier that sorts after known ones (alpha, beta, rc, ga, etc.), which breaks version matching. This vulnerability was resolved in v25.11.0.114957 of sonarqube[1].
+            [1]https://github.com/SonarSource/sonarqube/commit/ad603468b3af8284156d532eae7d099464189728
 
   - id: CGA-qm35-phph-2vmr
     aliases: