Disable Attachment Processor from ElasticSearch

akula.vamshee · June 13, 2024, 12:00pm

Our instance of SonarQube was flagged as having an out-of-date Elasticsearch version (8.11.0) that contains security vulnerabilities. We must upgrade the Elasticsearch version (8.11.0) to (8.11.1). Due to external factors related to internal automation software, we cannot upgrade the SonarQube version now. As per the community’s response, it is impossible to upgrade Elasticsearch alone.

Looking at the community URL, there is a suggestion to disable the attachment processor in ES.

The SonarQube community confirmed that the SonarQube distribution doesn’t even include the Elasticsearch attachment processor module.

exclude '/modules/ingest-attachment/'

The question is, how can we ensure that the attachment processor is not installed in ES within Sonarqube?

I tried to look into the /elasticsearch/bin/ and /elasticsearch/plugins/ folders but could not find anything related to them. I wanted to make sure how we can check and confirm if the attachment processor is disabled/not installed in ES within my SonarQube.

dadoonet · June 13, 2024, 12:14pm

It's part of the distribution and I don't think you can uninstall it. You should try to upgrade to 8.14.1. It's compatible.

akula.vamshee · June 13, 2024, 12:34pm

Do you mean the Elasticsearch Distribution?

This page says that if we cannot upgrade the ES, then disable attachment processor.

Can you provide more details how we can achieve this using the original details in my post?

Let me know if you need more information.

leandrojmp · June 13, 2024, 12:36pm

If you cannot updgrade Elasticsearch at the moment and want to mitigate this, you should remove the attachment processor from any ingest pipelines have it.

But the main question is, are you using the attachment processor? This is not used per default, to use it you would need to create an ingest pipeline and use this processor in that pipeline, if you do not have anything like this, then you are not using it.

akula.vamshee · June 13, 2024, 1:02pm

Thanks for the details.

To give you some context, we did not explicitly install Elasticsearch for our requirement nor did we manage the config for ES. We have installed SonarQube 10.3, which includes embedded version ES 8.11.0.

Our instance of SonarQube was flagged as having an out-of-date Elasticsearch version (8.11.0) that contains security vulnerabilities. We must upgrade the Elasticsearch version (8.11.0) to (8.11.1). Due to external factors related to internal automation software, we cannot upgrade the SonarQube version at this time.

Sonarqube has confirmed that we cannot upgrade embedded ES alone. ES configuration is managed by Sonarqube and SQ has confirmed that the SonarQube distribution doesn’t even include the Elasticsearch attachment processor module.

exclude '/modules/ingest-attachment/'

So as per your previous post, in this case, the attachment processor in ES is disabled and not installed? If yes, how can I confirm that in my ES installation?

Thanks for the help!

dadoonet · June 13, 2024, 1:21pm

So as per your previous post, in this case, the attachment processor in ES is disabled and not installed?

No. It's installed by default.

If yes, how can I confirm that in my ES installation?

It's no and you can confirm that by reading the logs when the node starts. It shows all the built-in modules.

leandrojmp · June 14, 2024, 12:43pm

Not sure why they would say that, as mentioned this is installed per default, I'm not sure you can even remove it.

But as already mentioned as well, if you do not have any ingest pipeline using the attachment processor, then it is not being used.

It is not used per default for anything, the user needs to create an ingest pipeline with this processor.