Disable Attachment Processor from ElasticSearch

Elastic Stack Elasticsearch
1

Our instance of SonarQube was flagged as having an out-of-date Elasticsearch version (8.11.0) that contains security vulnerabilities. We must upgrade the Elasticsearch version (8.11.0) to (8.11.1). Due to external factors related to internal automation software, we cannot upgrade the SonarQube version now. As per the community’s response, it is impossible to upgrade Elasticsearch alone.

Looking at the community URL, there is a suggestion to disable the attachment processor in ES.

The SonarQube community confirmed that the SonarQube distribution doesn’t even include the Elasticsearch attachment processor module.

exclude '/modules/ingest-attachment/'

The question is, how can we ensure that the attachment processor is not installed in ES within Sonarqube?

I tried to look into the /elasticsearch/bin/ and /elasticsearch/plugins/ folders but could not find anything related to them. I wanted to make sure how we can check and confirm if the attachment processor is disabled/not installed in ES within my SonarQube.

2

It's part of the distribution and I don't think you can uninstall it. You should try to upgrade to 8.14.1. It's compatible.

3

Do you mean the Elasticsearch Distribution?

This page says that if we cannot upgrade the ES, then disable attachment processor.

Can you provide more details how we can achieve this using the original details in my post?

Let me know if you need more information.

4

If you cannot updgrade Elasticsearch at the moment and want to mitigate this, you should remove the attachment processor from any ingest pipelines have it.

But the main question is, are you using the attachment processor? This is not used per default, to use it you would need to create an ingest pipeline and use this processor in that pipeline, if you do not have anything like this, then you are not using it.

1 Like
5

Thanks for the details.

To give you some context, we did not explicitly install Elasticsearch for our requirement nor did we manage the config for ES. We have installed SonarQube 10.3, which includes embedded version ES 8.11.0.

Our instance of SonarQube was flagged as having an out-of-date Elasticsearch version (8.11.0) that contains security vulnerabilities. We must upgrade the Elasticsearch version (8.11.0) to (8.11.1). Due to external factors related to internal automation software, we cannot upgrade the SonarQube version at this time.

Sonarqube has confirmed that we cannot upgrade embedded ES alone. ES configuration is managed by Sonarqube and SQ has confirmed that the SonarQube distribution doesn’t even include the Elasticsearch attachment processor module.

exclude '/modules/ingest-attachment/'

So as per your previous post, in this case, the attachment processor in ES is disabled and not installed? If yes, how can I confirm that in my ES installation?

Thanks for the help!

6

So as per your previous post, in this case, the attachment processor in ES is disabled and not installed?

No. It's installed by default.

If yes, how can I confirm that in my ES installation?

It's no and you can confirm that by reading the logs when the node starts. It shows all the built-in modules.

8

Not sure why they would say that, as mentioned this is installed per default, I'm not sure you can even remove it.

But as already mentioned as well, if you do not have any ingest pipeline using the attachment processor, then it is not being used.

It is not used per default for anything, the user needs to create an ingest pipeline with this processor.