About the recent FBI alert

Hi all,

Back in July a security researcher published about being able to harvest closed-source code from SonarQube instances that were exposed on the internet and not secured behind authentication.

This same issue has surfaced in the news again because the FBI recently published an alert about the theft of code from SonarQube instances exposed on the internet with default settings.

Most of you will already understand that this doesn’t represent a flaw or vulnerability in SonarQube itself, it is a combination of the instance being accessible on the web and keeping default configuration. Nonetheless, we’ll be stepping up in SonarQube 8.6 and making changes to the default configuration.

If you have any questions, please feel free to reach out.



And by the way, here’s our official response from July:

1 Like

As a followup, in 8.6 we’ve tightened up security on new instances and added a prompt to change the admin/admin password. More in the official announcement.