Hi everyone, I currently have sonarqube implemented in version 7.9.2 LTS as part of my infrastructure.
The security area did not reach an observation regarding the error pages that tomcat throws when entering an address that does not exist in the client browser, for example https://sonarweb.domain/invalida_path
This type of information is not required to be displayed. Or alternatively, customize the error pages of this type.
Colin
May 9, 2020, 9:24am
2
Hey there.
SonarQube is open source – anybody who wants to know the version of Tomcat can just check the source code
dependency 'org.apache.commons:commons-dbcp2:2.7.0'
dependency('org.apache.httpcomponents:httpclient:4.5.12'){
exclude 'commons-logging:commons-logging'
}
// Be aware that Log4j is used by Elasticsearch client
dependencySet(group: 'org.apache.logging.log4j', version: '2.8.2') {
entry 'log4j-api'
entry 'log4j-to-slf4j'
entry 'log4j-core'
}
dependencySet(group: 'org.apache.tomcat.embed', version: '8.5.53') {
entry 'tomcat-embed-core'
entry('tomcat-embed-jasper') {
exclude 'org.eclipse.jdt.core.compiler:ecj'
}
}
dependency 'org.assertj:assertj-core:3.15.0'
dependency 'org.assertj:assertj-guava:3.3.0'
dependency('org.codehaus.sonar:sonar-channel:4.1') {
exclude 'org.slf4j:slf4j-api'
}
With that in mind, does that still represent an issue?
If it really does, I think your reverse proxy setup can direct to a custom 404 page.
