Hi,
We have been running SonarCloud as part of our CI/CD for a while now. Our pipeline is realized using github actions, running on Azure VMs added to our github org as self-hosted github runners. SonarCloud is invoked as part of the maven build step using the sonar-maven-plugin.
The VMs acting as build servers have a strict firewall for outgoing traffic and recently two new domains have popped up in the firewall blocked traffic log:
ea6ne4j2sb.execute-api.eu-central-1.amazonaws.comsc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com
I’m suspecting that these are related to sonarcloud since I’m seeing terminated connections in the build log:
07:48:18 GMT [INFO] ------------- Run sensors on module eksplosiv-org-api
07:48:18 GMT [INFO] Load metrics repository
07:48:18 GMT [INFO] Load metrics repository (done) | time=133ms
07:48:18 GMT [INFO] Sensor cache enabled
07:48:18 GMT [INFO] Load sensor cache
07:48:20 GMT [javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake, javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake, javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake]
07:48:20 GMT Warning: Failed to prepare download of the sensor cache
Now, it’s not a problem for us to add a firewall rule to allow this traffic, but only if we know these domains can be trusted. Thus I’m writing here hoping that someone affiliated with Sonar can confirm that these domains are in fact used by SonarCloud.
And also, if anyone could point me in a direction for a complete list of domains/URLs/internet resources that SonarCloud requires access to when invoked by the sonar-maven-plugin.
