- SonarQube 8.8 EE
I have the following problem: via the “All Remaining Projects” selection mode, I can create a portfolio that contains all the projects of the SonarQube server, even the private ones on which I have no permission.
Is this normal behavior?
I was expecting that the remaining projects were at least only the projects which are public or the private ones on which I have at least the “Browse Permission”.
It sounds like to me to be a breach of security to give the ability to anyone to have access, even just the global indicators, to projects via portfolios that they cannot normally access.
On our SonarQube instance, we have turned down the “Create Portfolio” global permission that we gave to all the users.
Thanks in advance for your answers.