CSS Inline Styles for Imported Generic Issues No Longer Working in 24.12

SonarQube Server / Community Build
, , ,
1

Hello SonarQube Community,

I’ve been using SonarQube 10.6 for a while and successfully importing vulnerabilities from external scanners (e.g., Trivy) via the “generic issue import” format. In doing so, I relied on inline CSS styles within the HTML description tags to improve readability—especially for showing CWE/CVE badges, CVSS score badges, and styled tables.

However, after upgrading to SonarQube 10.8 (Community Build 24.12.0.100206), all my styling has disappeared. I’ve noticed that any style=“…” attributes in the HTML markup are being stripped out. This leads me to suspect there may be new or stricter sanitization rules or security measures in place for the “description” field.

What I Used to Do

In SonarQube 10.6, I had a JavaScript converter that took a Trivy report (JSON) and turned it into SonarQube generic issues. Here’s an excerpt from my script:

...
function createCweBadges(cweIds) {
  return cweIds.map(cweId => {
    const cweNumber = cweId.replace('CWE-', '');
    return `
      <a href="https://cwe.mitre.org/data/definitions/${cweNumber}.html"
         target="_blank"
         rel="noopener noreferrer"
         style="
           display: inline-block;
           padding: 4px 8px;
           border-radius: 3px;
           color: #0052CC;
           background-color: #DEEBFF;
           border: 1px solid #0052CC;
           font-weight: 500;
           margin: 0 4px 16px 0;
           text-decoration: none;">
           ${cweId}
      </a>
    `;
  }).join('');
}
...

you can check the whole script here.

…and similarly for CVE and CVSS badges, tables, etc. When these descriptions imported into SonarQube 10.6, the styling rendered perfectly. Under 10.8, all these styles vanish—apparently stripped out of the final HTML.

Screenshots of how it was and how it is now:

Before (10.6)

image
image1097×778 101 KB

After (24.12.**)

image
image2198×1270 371 KB

Questions

  1. Were there changes introduced in 24.12.0.100206 that sanitize or remove inline CSS attributes from imported generic issues?

  2. Is there a configuration setting (for instance, in sonar.properties or in the UI) that can restore or relax the sanitization to keep certain inline styles?

  3. Are there recommended workarounds for preserving at least some color-coding or stylized badges, such as using Markdown or a subset of allowed HTML tags?

I’d really appreciate any pointers or official documentation references regarding HTML sanitization in SonarQube’s generic issue descriptions. My goal is to keep the same level of readability as before without compromising security. Thank you in advance for your help!

  • Community Build
  • v24.12.0.100206
  • Docker
2

Hi,

Welcome to the community!

I’m not seeing an explicit ticket for this, but it’s possible my Jira-fu is weak today. Nonetheless, I think this is probably a good guess:

Honestly, the fact that you were able to do this was an oversight on our part.

 
Ann

1 Like
3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.