My firm uses an instance on SonarQube deployed on our own server. As an iOS developer I would like to install the sonar-apple plugin, which is not present on the Sonar Marketplace. Our security department is concerned about the safety of this plugin and asked me to investigate and look for potential dangers of using a plugin that is not present on the Marketplace but the plugin is written in Java and quite big so I don’t think I’ll manage to check every line of code by myself.
Do you have any suggestion about what can make a plugin harmful? Is there something specific I should look for?
Hi,
Welcome to the community!
You always use 3rd-party plugins at your own risk. This blog post will give you some details and our take on the matter.
HTH,
Ann
Hello Ann,
Thank you for your answer. I am well aware that I use 3rd party plugins at my own risk, and I had already read that blog post. The plugin in question doesn’t require any unusual installation step, just put the .jar fie in the /plugins folder.
Since I intend to inspect the plugin’s source code before using it, I am looking for tips and about what I should look for in (e.g. HTTP requests).
Thanks again
Alessio
Hi Alessio,
That blog post includes the more egregious bad behavior I’ve seen in the past that has disqualified plugins from Marketplace entry. I would just spin it up in a test instance and
- watch the server logs - anything unusual?
- and sure, watch the messages the server sends
- poke around in the configurations it add - if any - at both project and server level. Anything out of the ordinary?
HTH,
Ann
Hi,
BTW, this thread mentions one of the things that can go wrong with plugins:
Ann