GitLab Pull Request Decorator not showing images

SonarQube: 8.1 Developer Edition

Hi,

I have a fairly locked down SonarQube server, which is behind a load balancer and only accepts connection from my IP range.

I am using the GitLab Pull Request Decorator, however because of how locked down the server is, I believe it is unable to load the images which it is trying to get from the SonarQube server, for example:

I’ve tried whitelisting the GitLab IP range from https://docs.gitlab.com/ee/user/gitlab_com/#ip-range, to both the load balancer, as well as the server directly, however the images are still not being rendered.

Am I missing something here perhaps?

Thank you in advance!

Hi,

I guess you are using gitlab.com (vs on-prem). They use a proxy for assets : https://docs.gitlab.com/ee/security/asset_proxy.html

So you have to allow access from user-content.gitlab-static.net, not gitlab.com IPs.

Thanks for the response!

Yup, I am using gitlab.com - just to verify, I need to get the IP address range of user-content.gitlab-static.net so I can add that to my security rules?

Just to add, GitLab support provided the IP 35.190.114.86/32 for the asset proxy, which I whitelisted and has resolved the issue.

2 Likes

Glad you made this working! Thanks for the IP range of the asset proxy, that may be useful fo others.

Hi @pierreguillot same issue here, so thank you to point out the issue.

I’m using aws with sonarqube with docker, where I should add this ip range?

We have the same issue, and our security policy does not allow us to open up the network to allow gitlab to reach our SQ.

It would be nice anyway, if, instead of requiring network trips to pull the image assets in, that they were embedded in the MR decoration as base64 images.

It’s a little thing, and we live without it, but this would be a remediation that would fix it for good for everyone

https://jira.sonarsource.com/browse/SONAR-13106 fixed that, loading images from the web if you use github.com or gitlab.com.

Images will be loaded from here: https://github.com/SonarSource/sonarqube-static-resources

The fix will be available with SonarQube 8.6, planed for the 2nd week of December.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.