Sonar.gitlab.user_token leaks in "Project Settings/Background Tasks/Scanner Context"

  • Enterprise Edition, Version 8.9.3 (build 48735)

  • GitLab plugin version is 4.1.0

  • When I add an sonar.gitlab.user_token in the Admin UI, it is shown in “Project Settings/Background Tasks/Scanner Context” of a project in plain text

  • In the Admin UI I am unable to see the value, I may only change it there. It is somehow marked as password.

  • When a plugin does mark something as a password, I would assume that it will be hidden or replaced by asterisks in “Scanner Context” as well.

Hi Mirko,

You are mentioning here a GitLab plugin. Are you using a community plugin?
GitLab integration comes out of the box with SonarQube.

Chris

Hi @Chris,

yes, thanks for coming back on this. sonar.gitlab.user_token is probably from GitHub - gabrie-allaigre/sonar-gitlab-plugin: Add to each commit GitLab in a global commentary on the new anomalies added by this commit and add comment lines of modified files.

For the current default ALM integration there would need to exist a user which has at least reporter access to all projects (we have about 1500 projects and appr. for every 50 projects different permission may exist, the plugin allows to specify a token during analysis).

So more in General: if a plugin “hides” a password/field set on the server side, I would expect that the scanner does not show it in it’s log? Does that make sense?

Regards
Mirko

Thanks for the explanations.

About the general behavior of settings on scanner side, SonarQube used to provide credentials that were needed during the analysis by some integrations like SVN.
We changed that behavior with SonarQube 9.1 (more info in the Upgrade Notes and in SONAR-15338).

Chris