Malware is getting Detected in SonarQube's Temp Folder

Hi,

We have received notifications from our security solutions that a Malware has been found in SonarQube’s(V8.9 on Linux) temp directory and is being quarantined. And this is coming for various .tmp files under the temp location, one such an example is /sonarsource/application-data/sonarqube/temp/tc/work/Tomcat/localhost/ROOT/upload_d12d848f_03_84b9_d0cc43061_020.tmp

Does anyone knows what gets uploaded to the temp directory and has this been observed by anyone else? How to identify the source scan for these kind of uploads? Any advice is appreciated.

Thanks.

Hi,

Welcome to the community!

Can you share the names of the flagged files? It’s quite likely what you’ve encountered is a signature collision between a legitimate SonarQube library and some other malware file.

 
Ann

Hi Ann,

Here are couple of files, different occurrences from the same location /sonarsource/application-data/sonarqube/temp/tc/work/Tomcat/localhost/ROOT/

upload_d12d848f_0859_4c03_84b9_d0cc48823061_00000200.tmp
upload_d12d848f_0859_4c03_84b9_d0cc48823061_00000163.tmp

Thanks.

Hi,

Thanks for the detail. We’re looking into it.

 
Ann

Hi, this folder is used by Tomcat to store temporary files during file upload. This includes reports sent from the scanner at the end of an analysis. This report can contain various things, such as source code, Protobuf files (that are sometimes flagged as malicious as it’s a binary format), or executable/binary files.

A similar situation has been observed on Sonarlint, with an anti-virus quarantining some protobuf files.

Besides the scanner behavior, any users that have “scan” permission could send a handcrafted payload with a malicious payload as a “report”. It would be discarded by SonarQube, but your security solution might flag the files during the file upload. In this case, it makes sense to put them in quarantine and delete them.

One way to verify what’s happening in your case would be to look at your CI jobs running SonarQube scanner: Did you notice any unexpected failure during report uploads recently?

1 Like

Hi Pierre,

Thanks for your reply. Yes, there are some failures happened and below are some of them:

ce.2023-01-24.log:2023.01.24 09:26:23 INFO  ce[AYXjGZFDtf3Fy1_4y5JB][o.s.c.t.s.ComputationStepExecutor] Validate project | status=FAILED | time=1ms
ce.2023-01-24.log:2023.01.24 09:26:23 INFO  ce[AYXjGZFDtf3Fy1_4y5JB][o.s.c.t.CeWorkerImpl] Executed task | project=srv-service | type=REPORT | pullRequest=94 | id=AYXjGZFDtf3Fy1_4y5JB | submitter=api1 | status=FAILED | time=455ms
ce.2023-01-27.log:2023.01.27 19:50:11 INFO  ce[AYX0w4wPtf3Fy1_4y5r6][o.s.c.t.s.ComputationStepExecutor] Validate project | status=FAILED | time=9ms
ce.2023-01-27.log:2023.01.27 19:50:14 INFO  ce[AYX0w4wPtf3Fy1_4y5r6][o.s.c.t.CeWorkerImpl] Executed task | project=platform1 | type=REPORT | branch=release/2.7 | branchType=BRANCH | id=AYX0w4wPtf3Fy1_4y5r6 | submitter=platform1 | status=FAILED | time=107618ms
ce.2023-01-30.log:2023.01.30 15:37:22 INFO  ce[AYYDUy7BXSXK5-a_k0bM][o.s.c.t.s.ComputationStepExecutor] Validate project | status=FAILED | time=3ms
ce.2023-01-30.log:2023.01.30 15:37:22 INFO  ce[AYYDUy7BXSXK5-a_k0bM][o.s.c.t.CeWorkerImpl] Executed task | project=common1 | type=REPORT | branch=feature/PHOEN-1037 | branchType=BRANCH | id=AYYDUy7BXSXK5-a_k0bM | submitter=api1 | status=FAILED | time=4083ms
ce.2023-01-30.log:2023.01.30 16:19:32 INFO  ce[AYYDeZQYXSXK5-a_k0bv][o.s.c.t.s.ComputationStepExecutor] Validate project | status=FAILED | time=2ms
ce.2023-01-30.log:2023.01.30 16:19:32 INFO  ce[AYYDeZQYXSXK5-a_k0bv][o.s.c.t.CeWorkerImpl] Executed task | project=accounts | type=REPORT | branch=v6.131.3.x | branchType=BRANCH | id=AYYDeZQYXSXK5-a_k0bv | submitter=api1 | status=FAILED | time=6315ms

So it might be that your security system is flagging protobuf content as suspicious.

Thanks again for the info. So, is it safe for us to close out these as false positive?

Thanks.

Protobuf binaries generated by the sonar scanner can be closed as false positive for sure.

For other content, it depends on what’s uploaded from the scanner: if you have some suspicious content on your CI where the project is analyzed, this could be uploaded in SQ to the folder you mentioned.