We have been running SonarCloud as part of our CI/CD for a while now. Our pipeline is realized using github actions, running on Azure VMs added to our github org as self-hosted github runners. SonarCloud is invoked as part of the maven build step using the sonar-maven-plugin.
The VMs acting as build servers have a strict firewall for outgoing traffic and recently two new domains have popped up in the firewall blocked traffic log:
I’m suspecting that these are related to sonarcloud since I’m seeing terminated connections in the build log:
07:48:18 GMT [INFO] ------------- Run sensors on module eksplosiv-org-api 07:48:18 GMT [INFO] Load metrics repository 07:48:18 GMT [INFO] Load metrics repository (done) | time=133ms 07:48:18 GMT [INFO] Sensor cache enabled 07:48:18 GMT [INFO] Load sensor cache 07:48:20 GMT [javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake, javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake, javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake] 07:48:20 GMT Warning: Failed to prepare download of the sensor cache
Now, it’s not a problem for us to add a firewall rule to allow this traffic, but only if we know these domains can be trusted. Thus I’m writing here hoping that someone affiliated with Sonar can confirm that these domains are in fact used by SonarCloud.
And also, if anyone could point me in a direction for a complete list of domains/URLs/internet resources that SonarCloud requires access to when invoked by the sonar-maven-plugin.