Enable CORS configuration to get badges functionality

Probably since SONAR-21780 Add Cross-Origin related HTTP security headers · SonarSource/sonarqube@4f2cb04 · GitHub , our badges integration in our GitLab instance fails with CORS error like :

“Ressource at URL « https://sonar.example.com/api/project_badges/measure?project=myproject&metric=alert_status&token=0123456789abcdef » was blocked due to a Cross-Origin-Resource-Policy header”

Is there a way to allow specific host to get badges functionnality back ?

  • SonarQube Enterprise Edition v10.5.1 (90531)
  • SonarQube deployed with Helm


Hey there.

We’ll fix this issue in SonarQube v10.6, currently scheduled for mid/late June.

SONAR-22149

1 Like

I went to issue SONAR-22149 and saw that it solves exactly this problem, but it said it would go into version 10.6 and it didn’t, now it’s saying it will go into version 10.7 and closed the issue, but I haven’t seen the commit on github yet…

Check the Link: Commit search results · GitHub

I was waiting the fix too for 10.6, but sad to see it apparently got scoped out from it.

Appears it is not fixed in 10.7 yet:

[![Quality Gate Status](https://next.sonarqube.com/sonarqube/api/project_badges/measure?project=sonarqube&metric=alert_status&token=d95182127dd5583f57578d769b511660601a8547)](https://next.sonarqube.com/sonarqube/dashboard?id=sonarqube)

Results currently to broken badge:
Quality Gate Status

Curiously, the badge works with exact same markdown in SonarQube Github README: sonarqube/README.md at master · SonarSource/sonarqube · GitHub. Maybe Github has some additional workarounds built on top of it? There the badge image originates from githubusercontent.com, not from next.sonarqube.com.

Hey all.

Yes, unfortunately the ticket was bumped to our next release (v10.7), but we intend to handle it early on in the development cycle so that we don’t risk another delay. Thanks for your patience.

I am serving the sonarqube in kubernetes, I had this issue and solved it with nginx. Basically I am routing the network via a nginx deployment to the application, I think this settings should be configurable.
Here is my nginx configuration file

server {
    listen 443;
location / {
        proxy_pass https://1.1.1.1:1111; # use can use domain or ip adress here
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Cross-Origin-Resource-Policy same-origin;
    } 
} 

I hope it helps for now .

Hi,

I get the happy task of following up to say that our internal demo today included sharing that the CORS policy has been dropped & the change checked in for 10.7! I’m sorry it’s taken so long.

 
:tada:
Ann

2 Likes

Hello Ann, so when moving from 10.2 to 10.6.1 (within Kubernetes), the issue our users started to get where badge images did not show is related to this? And that fix should be in the next version or so?

Hi,

Related? Yes, probably.

Fixed in 10.7? If that’s^ correct, then yes.

(BTW, we can verify this if the users check their browser consoles to see what the error is.)

 
Ann

1 Like

Is the problem solved in 10.7.0 ?
because I’ve just updated and still have the same problem :thinking:

Hi @thysjohan,

SonarQube 10.7 hasn’t been announced yet. I guess you just pulled the binary directly off the distribution site?

Can you give some details / logs / screenshots of what you’re seeing?

 
Thx,
Ann

Hi Ann,

I retrieved the image from (dockerhub)

The image is still not displayed on our Gitlab and the error still seems to be the same :

Failed to load resource: net::ERR_BLOCKED_BY_RESPONSE.NotSameOrigin

Hi,

Is it possible there’s some caching involved?

 
Thx,
Ann

I had already emptied it but I did it a second time, now the badge appears.

Version 10.7.0 fixes the problem, thank you :partying_face:

2 Likes