PR decoration shows broken images due to CSP

barorion · June 3, 2020, 7:37am

Using SonarQube developer 8.3.1.34397; integrated with GitHub Enterprise 2.16.2; viewed using latest google chrome on windows.
I’ve integrated my SonarQube instance with my Github Enterprise server, so my pull requests are decorated (having both bot comments and a PR check). all good so far
Problem: images on both the bot comment and the check page are broken. I believe it’s due to GitHub’s contents-security-policy, that prevent loading images from external sources as my sonarQube server. (when I’m using extensions like this to disable CSP, the images are shown correctly…)

Any idea how to overcome this? (can I e.g. customize the used images, e.g. to have them pointing to images located on my Enterprise Github server itself, so hopefully they can be served)?

Thanks
Gilad

pierreguillot · June 3, 2020, 7:57am

Hi, if your SonarQube instance is not reachable from GHE, you are in the same situation as this thread. Is it the case?

barorion · June 3, 2020, 7:59am

well, it’s definitely reachable, as when I’m disabling CSP (e.g. using this chrome extension) the images are shown correctly.

barorion · June 3, 2020, 8:26am

BTW, having the images uploaded to the github enterprise server would definitely work…
Putting my developer hat for a second, it might be nice for the PR decoration code to do just that on the 1st decoration of a PR of a GH instance, and always use those stored references to images locations on GH.

pierreguillot · June 3, 2020, 9:01am

Ah ok, that indeed a different issue then. What do you mean upload images to GH? Like in a repo?

barorion · June 3, 2020, 9:37am

well yes… it’s just a suggestion for a solution from SonarQube side
basically as a human user you can drag an image to a PR comment, and it will be loaded to GH (not to your repo, but to some shared/per user storage, e.g. as <GIT_URL>/storage/user/76/files/3029a580-a594-11ea-851d-4c875b7c7e9a).
Your PR comment will include a link to the above file. as this file sits inside your GH server, no problem with CSP!
Maybe the PR decoration code could do something similar (except the drag&drop part ): upload the relevant image to GH, and than the references to images on the sonar server can be replaced with references to those images on GH.

barorion · June 17, 2020, 8:53am

can you suggest a workaround, or is there an issue I can track for this to be solved?