How to cycle token in badge url

klaverty · April 29, 2021, 5:56pm

Environment Details:

ALM used: GitHub
CI system used: Azure DevOps
Languages of the repository: C#

Our IT department has a policy to rotate all API keys on a given frequency and we recently noticed that the badge urls for the private repos (projects) have a token in them. What little documentation there is appears to indicate this is an API key that lets the badge look into the private repo (project) and get the stats back out again. We are using SonarCloud.io for hosting.

I am trying to figure out how to rotate that token to bring it in line with our IT security policy.

I submitted a request via the contact form and was redirected here by the person who answered.

Thanks for your time.

Alexandre_Holzhey · May 11, 2021, 6:24am

Hello @klaverty and welcome to our Community!

SonarCloud tokens are associated to users and allows act like them. You can check created tokens at your account security. It is also possible to manage them using our API.

As i mentioned, they need to be managed by the user that created them. SonarCloud create them automatically for you when required (like when your decide to scan it manually or when you generate a badge URL for a private project). So you need to know which user created these tokens you want to rotate. I think a good approach is to have a dedicated user for these tokens, which will make easier to rotate later (you can also give restricted permissions to this user).

klaverty · May 11, 2021, 1:10pm

Hello, @Alexandre_Holzhey,

I think there was a miscommunication in my posting. In sonarcloud.io, under your repo, there is a “Get project badges” button. In there there are links to badges to show in readmes such as this link:
[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=[project name]&metric=alert_status&token=[token])](https://sonarcloud.io/dashboard?id=[project name])

These tokens are fixed per project and there is no spot in the UI to change them. They are not tied to a specific user.

Mark_Clements · May 18, 2021, 4:15pm

Hello @klaverty,

This is a reasonable request. I have raised a ticket for it.
While I appreciate the importance of complying to your policies, I think it is quite low risk so it may take time to find delivery slot.

testworksau · November 24, 2021, 5:11am

SonarQube 9.2 has the following message, along with a “Renew Token” button:

Project badges can expose your security rating and other measures. Only use project badges in trusted environments. If your project badge security token has leaked to an unsafe environment, you can renew it

The token is the same regardless of the badge, so the risk is that you may expose:

The number of Bugs, Code Smells, Lines of Code, and Vulnerabilities
The percentage of Code coverage and Duplicated lines of code
The Quality Gate status, Reliability rating, and Security rating
The amount of Technical Debt

Are there any other permissions tied to the token @Mark_Clements ?

Mark_Clements · November 24, 2021, 10:21am

Hi Testworksau,

SonarQube 9.2 has the following message, along with a “Renew Token” button:

Yes, the renew token function has now been added to SonarQube! SonarCloud will follow.

This token of solely for the badges and any information made available as badges.

Regards,
Mark