SonarCloud expose azure devops PAT

To setup SonarCloud to add comment on Pull request for azure devops you need to give it a PAT
(sonar.pullrequest.vsts.token.secured)

After it have been saved other admins can get access to it.


(I have replaces the token in the image)

Normal a webpage don’t send password or token back to the browser.

Hi @HenrikSommer-eng and welcome to the community.

Thanks for pointing this out, we will have a look.

For tracking : https://jira.sonarsource.com/browse/SCCOMM-25

Mickaël

2 Likes

@mickaelcaro it doesn’t look like the JIRA bug has any activity on it since you opened it. Can you please provide an update to what appears to be a security issue?

Hi @ChrisB

The severity of that has been decreased as the impact was assessed : only the project admin can see that token in clear, which might be the person who has set it up. It will still be addressed soon.

Thanks.
Mickaël

It “might” be the person who set it up, but it well might not be. I think this is a bigger problem than you realize because you’re conflating the SC admin privileges with those in Azure DevOps. That PAT belongs to a particular user, and by allowing various project admins to see the PAT means that they can impersonate the DevOps user it’s associated with.

1 Like

And that’s the reason why it still need to be addressed on our side :wink:

@ChrisB in Azure DevOps you can create a user with limit access so the PAT you use only have access to comment on PR.
That limit the problem until the problem is fixed here.

I thought the PAT required code read and write to work properly.

Users and scopes are 2 different notions : you can create a limited user (ie not admin), but with enough permissions to do PR decoration, and those permissions are effectively Code (Read & Write).

Well yes and that’s what I did way back when, but that still leaves an avenue for a SonarCloud project admin to make code changes in DevOps that they’re not allowed to make - and that will have an incorrect audit trail.