Exposing SonarQube API for cloud deployment and/or use with hosted agents - securing SonarQube API

sonarqube
vsts
azure

(Jean van Caloen) #1

Hello,

We need to expose our onpremise-hosted Sonarqube instance in order to be able to analyze builds that run on hosted agents (Azure DevOps). We would leverage a reverse proxy. In order to do this in a secure way, we would like to have some authentication on the connection. It seems however that some API methods are not authenticated and these are called before a token gets used (check version, get users, download jar file).

We’re currently analyzing 2 tracks:

  • implement the unauthenticated calls in a static fashion on the reverse proxy in order to limit access/avoid misuse, setup a kind of whitelisting for subsequent calls from the same IP once authenticated
  • use a SSL/SSH tunneling mechanism to create a secure/authenticated channel towards the reverse proxy which will then tunnel all calls (possibly with stunnel)

Questions

  1. Is there a way to deploy SonarQube which is more secure and acceptable to expose on Internet?
  2. Did anyone already implement such setup?
  3. Is there any effort to secure the sonarqube API?

Thanks
Jean.


(Jean van Caloen) #2

Can I get any feedback on this topic please?


(Simon Brandhof) #3

Hi Jean,

What are the potential vulnerabilities you want to avoid? The few unauthenticated calls that you list sound acceptable to expose the service on internet. At least that’s what is done with sonarcloud.io.

Regards


(Jean van Caloen) #4

Hello @simon.brandhof
Thanks for getting back.
In fact, we were able to get the list of users with an unauthenticated requests at the time we investigated this. Not sure if there were any changes in the meantime (we upgraded to 7.6 this week and haven’t checked again)
Thanks


(Jean van Caloen) #5

FYI sonarcloud.io has the same problem it seems. I’d recommend to close this down fast!
https://sonarcloud.io/api/users/search