Back in July a security researcher published about being able to harvest closed-source code from SonarQube instances that were exposed on the internet and not secured behind authentication.
This same issue has surfaced in the news again because the FBI recently published an alert about the theft of code from SonarQube instances exposed on the internet with default settings.
Most of you will already understand that this doesn’t represent a flaw or vulnerability in SonarQube itself, it is a combination of the instance being accessible on the web and keeping default configuration. Nonetheless, we’ll be stepping up in SonarQube 8.6 and making changes to the default configuration.
If you have any questions, please feel free to reach out.