Private source code is exposed when 2 or more source locations in issue

  • Version: Community Edition Version 8.1 (build 31237)
  • error observed: Private source code is visible when more than single code location.
  • steps:
  • Make project private and remove source code browser permission for default group.
  • Scan a project with issues with multiple code locations for the issues (very common).
  • Login as a user that only default sonar-user group.
  • Click on issues that call out multiple code locations.

Expected behavior: Warning that “no source code can be displayed” is shown.
Observed behavior: Source code is fully displayed.

Thanks @Dana for reporting this issue, we’re gonna fix this.

Next time, you can use this process Responsible Vulnerability Disclosure to report such issue, thanks !