Security Advisory: SonarQube Scanner GitHub Action

Sonar Updates
Colin (Colin) 21

Are you affected?

Your workflow may be vulnerable if it passes user-controlled or computed values into the args field of the sonarqube-scan-action using shell variable syntax. For example:

- name: SonarQube Scan
  uses: SonarSource/sonarqube-scan-action@v5.3.0
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
  with:
    args: >
      -Dsonar.branch.name=${{ github.head_ref }}

If the value of github.head_ref were constructed to include a shell command, that command would have been executed when the action calculated the value for sonar.branch.name. v5.3.1 prevents this by treating the entire input as a literal string, which mitigates the vulnerability.

Additional Resources:

Do I need to update my workflow beyond upgrading the action version?

Most users will only need to make sure that they are using a patched version of sonarqube-scan-action. However, some users may have been intentionally using inline shell commands which will no longer work. You must now precompute such values earlier in your workflow.

Example of required workflow change:

Previously (v5.3.0):

- name: SonarQube Scan
  uses: SonarSource/sonarqube-scan-action@v5.3.0
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
  with:
    args: >
      -Dsonar.projectKey=prefix_$(basename "${{ github.repository }}")

After upgrading (v5.3.1):

- name: Compute project key
  run: |
    PROJECT_SUFFIX=$(basename "${{ github.repository }}")
    echo "PROJECT_KEY=prefix_${PROJECT_SUFFIX}" >> "$GITHUB_ENV"
- name: SonarQube Scan
  uses: SonarSource/sonarqube-scan-action@v5.3.1
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
  with:
    args: >
      -Dsonar.projectKey=${{ env.PROJECT_KEY }}
1 Like
22

Coucou folks, I hope you are doing well.

I have received an email with the subject “Urgent SonarQube Notification” regarding this.

I searched in the message content if there was a way to unsubscribe or edit my email preferences, but could not find anything. I don’t want to mark you as spam, how can I do that properly?

Cheers :face_blowing_a_kiss:!

23

My understanding is that GitHub Actions are a supported language in Sonar Cloud

Would the Sonar scanner report this vulnerability as a Security Issue. Where do I find the rules associated with the lanuage

I don’t think there is a rule to cover this but this does seem to show that it would be good to add one?

24

Hey @Siegfried

Nice to see you. :slight_smile:

I’m not sure we have a great way to let users unsubscribe from security notices. Let me follow up on this, and at the very least I can see if there’s a way we can remove your email from any future notices.

25

Hey @dmurrells,

Great point! We do have rules targeting GitHub Actions, which you can find here. I believe this rule would typically flag issues like this, though I haven’t personally tested it yet. I’ll do that and update you soon.

Update: After checking, it looks like this rule specifically analyzes the run block of an action. Since your issue occurred in the args section, it would not have been detected. I’ll share this feedback with the team to explore possible improvements to the rule!

Colin (Colin) 26

Hey everybody,

Take a look at this follow-up post.