We have received notifications from our security solutions that a Malware has been found in SonarQube’s(V8.9 on Linux) temp directory and is being quarantined. And this is coming for various .tmp files under the temp location, one such an example is /sonarsource/application-data/sonarqube/temp/tc/work/Tomcat/localhost/ROOT/upload_d12d848f_03_84b9_d0cc43061_020.tmp
Does anyone knows what gets uploaded to the temp directory and has this been observed by anyone else? How to identify the source scan for these kind of uploads? Any advice is appreciated.
Can you share the names of the flagged files? It’s quite likely what you’ve encountered is a signature collision between a legitimate SonarQube library and some other malware file.
Hi, this folder is used by Tomcat to store temporary files during file upload. This includes reports sent from the scanner at the end of an analysis. This report can contain various things, such as source code, Protobuf files (that are sometimes flagged as malicious as it’s a binary format), or executable/binary files.
A similar situation has been observed on Sonarlint, with an anti-virus quarantining some protobuf files.
Besides the scanner behavior, any users that have “scan” permission could send a handcrafted payload with a malicious payload as a “report”. It would be discarded by SonarQube, but your security solution might flag the files during the file upload. In this case, it makes sense to put them in quarantine and delete them.
One way to verify what’s happening in your case would be to look at your CI jobs running SonarQube scanner: Did you notice any unexpected failure during report uploads recently?
Protobuf binaries generated by the sonar scanner can be closed as false positive for sure.
For other content, it depends on what’s uploaded from the scanner: if you have some suspicious content on your CI where the project is analyzed, this could be uploaded in SQ to the folder you mentioned.