Exposing SonarQube API for cloud deployment and/or use with hosted agents - securing SonarQube API

Hello,

We need to expose our onpremise-hosted Sonarqube instance in order to be able to analyze builds that run on hosted agents (Azure DevOps). We would leverage a reverse proxy. In order to do this in a secure way, we would like to have some authentication on the connection. It seems however that some API methods are not authenticated and these are called before a token gets used (check version, get users, download jar file).

We’re currently analyzing 2 tracks:

  • implement the unauthenticated calls in a static fashion on the reverse proxy in order to limit access/avoid misuse, setup a kind of whitelisting for subsequent calls from the same IP once authenticated
  • use a SSL/SSH tunneling mechanism to create a secure/authenticated channel towards the reverse proxy which will then tunnel all calls (possibly with stunnel)

Questions

  1. Is there a way to deploy SonarQube which is more secure and acceptable to expose on Internet?
  2. Did anyone already implement such setup?
  3. Is there any effort to secure the sonarqube API?

Thanks
Jean.

1 Like

Can I get any feedback on this topic please?

Hi Jean,

What are the potential vulnerabilities you want to avoid? The few unauthenticated calls that you list sound acceptable to expose the service on internet. At least that’s what is done with sonarcloud.io.

Regards

Hello @simon.brandhof
Thanks for getting back.
In fact, we were able to get the list of users with an unauthenticated requests at the time we investigated this. Not sure if there were any changes in the meantime (we upgraded to 7.6 this week and haven’t checked again)
Thanks

FYI sonarcloud.io has the same problem it seems. I’d recommend to close this down fast!
https://sonarcloud.io/api/users/search

The web service you mention on SonarCloud is not considered as vulnerable because it displays only information publicly published by Github, Bitbucket and Azure DevOps.

In your context of SonarQube, the solution to hide the list of users is to forbid anonymous calls to all web services. That can be achieved by enabling the property Force user authentication in the console Administration > General Settings > Security.

2 Likes

That fixes the issue indeed.
Thanks for getting back