SMTP settings displayed as locked in UI

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    We are running Docker Version 9.5 (build 56709), both OSS and Developer

  • what are you trying to achieve
    Configure SMTP configuration

  • Issue

Hello

SMTP Configuration fields are all flagged as “locked” in the UI. We did not noticed this in our previous version 8LTS
It is still possible to update it, but it really degrades the maintenance activity:

Although it makes sense for sensitive data (username / password), we don’t see the point to also apply this obfuscation to SMTP_HOST, _PORT and others.

Is it a known issue/feature? Or something might have gone wrong during 8LTS > 9.5 upgrade?

1 Like

Warm welcome @scm_invn ,

It is a known feature that was introduced in the SonarQube 9.1. For details please see: [SONAR-15376] - Jira .

As SMTP host and SMTP port were for a long time identified by us as .secured settings, their current value is not displayed in the GUI, after the implementation of linked JIRA ticket.

For now, the best I can do for you is to discuss it internally and see if we need to keep them .secured. It could also be helpful if you share what specific pain you have when updating these fields these days, after SonarQube 9.1, so I have more arguments in our internal discussions :slight_smile: .

Thanks @Lukasz_Jarocki for your answer

Well honestly this is the first time i see such fields handled as “secure” by an application.

From a maintenance perspective, here is a recent use case:

  1. Need to update the STMP credentials
  2. Open admin page, update credentials
  3. Checked SMTP settings, as those were hidden, type it again “to be sure” (and made an error on the port value)
  4. Loose some time debugging the issue, as settings were again hidden so not possible to identify the typing error directly…

As a side note, it is also a pain not being able to configure those settings (and all others) using configuration variable (we use docker-compose). This would be so easier to maintain app configuration…

1 Like

I would recommend to remove the .secure attribute for the following SMTP fields:

  • email.smtp_host
  • email.smtp_port
  • email.smtp_secure_connection
  • email.smtp_username (this one is questionable but not absurd)
1 Like

Hi @scm_invn,

Thank you for input and valuable feedback. While I agree that it is not the best user experience (for some of currently .secured settings), there are more reasons to have some of the settings .secured (basically to mitigate the risk that any of them might be stolen by a user who is not admin, I won’t go into details here).

In case we see more reports from the users that matches what you experience we might revisit this topic to provide better user experience in the future. But for now, no immediate action will be taken on our side.

Thank you again for the feedback on the product,
Have a great day

Does it mean that non-admin user can get access to admin settings values? And this is a workaround to mitigate a security issue in SonarQube ?

Anyway, SMTP host / port / ssl_tls_config are not sensitive / confidential data, but as this is just a user-experience issue i can understand your conclusion (no-go)

Hi again,

some SonarQube settings are returned by api/settings/values endpoint depending on the users permissions. Settings that are .secured are never returned by this endpoint. That’s all that I meant. For details please see this ticket: [SONAR-15338] - Jira .

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.