Failed reading properties of type Password

I’m the maintainer of the TFVC plugin. Most times I’m working with a DevOps Server in the local network. The build user can use Windows integrated security to get source code details (annotation) from the DevOps server.

Now, a project hosted in DevOps Services gets active. I’m very sure that the authentication using PAT was working in past. But, currently I see, that the configuration provided in SonarQube (Community Edition, on-premises) is not hand-over to the plugin.

Is there any change in handling parameters of type PropertyType.PASSWORD in the recent SonarQube versions?

I found, the data is saved as clear text in the database.

sonar=# select * from properties where prop_key like 'sonar.tfvc.pat.secured';
        prop_key        | is_empty |                      text_value                      | clob_value |  created_at   |             entity_uuid              |                 uuid                 | user_uuid
------------------------+----------+------------------------------------------------------+------------+---------------+--------------------------------------+--------------------------------------+-----------
 sonar.tfvc.pat.secured | f        | gvr***REDACTED***                                    |            | 1653597011313 |                                      | AYECD_1x4c3dypwt6nOy                 |
 sonar.tfvc.pat.secured | f        | foo                                                  |            | 1736432648604 | cc8a581a-2701-4092-8f74-5ac5d3c6a5b6 | a3bd12b5-3534-419c-9fe0-6bcde6704879 |
(2 Zeilen)

I have added debugging output. With this I get the following output:

13:08:45.540 DEBUG: SCM-TFVC: started blaming with executable c:\build\_work\1707\.sonarqube\out\.sonar\.sonartmp\SonarTfsAnnotate2127616622602394596.exe
13:08:45.540 DEBUG: SCM-TFVC: collection uri: https://***REDACTED***
13:08:45.540 DEBUG: SCM-TFVC: user name: 
13:08:45.540 DEBUG: SCM-TFVC: password length: 0
13:08:45.540 DEBUG: SCM-TFVC: pat length: 0

But, the PAT is set for all projects and for the specific project.

Yes. We made this change in September 2021, and I think this is the first (maybe second?) time we heard any feedback about it! :smiley:

Release 9.1 upgrade notes

Secured settings no longer available in web services and on the scanner side
This change especially affects the analysis of SVN projects but also, possibly, the use of some 3rd-party plugins. Secured settings required to perform the analysis now need to be passed to the scanner as parameters.

Secured parameters now need to be passed directly to the scanner as analysis parameters rather than as server-side config. This change prevents any user with Execute Analysis permissions from accessing potentially sensitive information as plaintext, often unrelated to analysis (SMTP settings, for example).

One evolution you might consider for the plugin would be to read an environment variable that users can set at the agent level so it doesn’t need to be added to every build.