Are plugins running in some kind of sandbox? If I download and install any plugin from an unknown source, am I exposed to some attacks? Said in another way, can the plugin perform any action with the rights of the user who is running SonarQube? (reading or writing files, opening network connections, etc.)
I could not find any information on this topic, maybe I did not look at the right place.
Hi @vm666 , welcome to the SonarSource Community!
I would like to draw your attention to the documentation on this topic.
Well, this is not clear.
“Plugins are not provided by SonarSource, and you therefore install them at your own risk”
What are the risks?
Hi @vm666,
I’m planning to publish a blog post on that topic next week. At the risk of spoiling it, here’s a single excerpt from the conclusion:
SonarQube exposes a powerful API that gives plugins broad access to its internals. Thus there is an inherent risk in installing a plugin.
The full post should come out Tuesday.
HTH,
Ann
SonarQube exposes a powerful API that gives plugins broad access to its internals. Thus there is an inherent risk in installing a plugin.
I’m not that worried about SonarQube internal data, I was wondering if
the plugin code was allowed to access any file on the local machine,
or run any command.
Hi,
You may be interested in this ticket:
SONAR-14886 - Plugins should not modify SonarQube’s home directory
Ann