Sonarqube access logs format

tkornel · August 2, 2024, 6:09am

Hi!
I have a 9.9.0 Sonarqube server running, and when I downloaded access logs from the system tabs, I saw that it saved user logins with plaintext passwords. Is there a way to configure this fromat to hide or remove the passwords?
Thanks in advance!
Kornél

Colin · August 5, 2024, 5:49am

Hey there.

That’s weird, and shouldn’t be the default behavior. Can you give an example (redacted of course).

tkornel · August 5, 2024, 6:21am

yes here is one example:

2024-08-01T00:05:57.335+02:00 | [IP address] | [-] | [-] | [POST /api/authentication/login HTTP/1.1] | [200] | [-] | [Sonar URL] | [browser data] | [login=realusername&realpassword] | [Some kind of token] | [-] | -

Colin · August 5, 2024, 6:34am

The default logging for SonarQube looks like this:

0:0:0:0:0:0:0:1 - - [05/Aug/2024:08:32:31 +0200] "POST /api/authentication/login HTTP/1.1" 200 - "http://localhost:9000/sessions/new?return_to=%2F" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" "33f147a2-0326-4a4f-b176-1cac72ee8edf" 193

Has somebody adjusted sonar.web.accessLogs.pattern in your conf/sonar.properties file?

tkornel2 · August 5, 2024, 8:11am

Hey, there OP here. The web access log format is the following:
“%i{X-Forwarded-For} %l %u [%t] "%r" %s %b "%i{Referer}" "%i{User-Agent}"”

tkornel2 · August 5, 2024, 8:12am

is there a way to display username login, but without a password?

Colin · August 5, 2024, 2:16pm

Hey @tkornel2

I dug into this a bit more. I realized that it’s only happening when I make a curl request rather than using the UI. Do you confirm it’s the same on your side?

tkornel2 · August 6, 2024, 12:27pm

hey, it happens when I login through the UI, even failed attempts get logged

Colin · August 6, 2024, 12:31pm

I really think your Access Log pattern can’t be what you think it is. Can you check the value of sonar.web.accessLogs.pattern in your “System Info” (see below) and/or share your system info here?

tkornel2 · August 6, 2024, 2:47pm

You are right, this is the format:

“sonar.web.accessLogs.pattern”:“%t{yyyy-MM-dd\u0027T\u0027HH:mm:ss.SSSXXX} | [%i{X-Forwarded-For}] | [%l] | [%u] | [%r] | [%s] | [%b] | [%i{Referer}] | [%i{User-Agent}] | [%requestContent] | [%reqAttribute{ID}] | [%reqAttribute{LOGIN}] | %reqAttribute{TOKEN_NAME}”

tkornel2 · August 6, 2024, 3:06pm

when the requestcontent is logged, it contains the sensitive data, during user/pass auth

Colin · August 7, 2024, 8:18am

Okay! The presence of this is exposing the details.

So it really comes down to where this config is coming from. I suggest:

Double checking your conf/sonar.properties file (check for the string [%requestContent] specifically!)
Check that SONAR_WEB_ACCESSLOGS_PATTERN is not an environment variable set in your environment
If that fails, please tell us more about your SonarQube deployment. How is it deployed? From the ZIP file? A Docker image? Something else?

Topic		Replies	Views
Username and Password is getting printed in Access logs of SonarQube SonarQube Server / Community Build sonarqube	7	1139	October 7, 2021
What information is stored in the access logs (privacy concerns) SonarQube Server / Community Build sonarqube	2	245	July 10, 2023
User authentication logging SonarQube Server / Community Build sonarqube , authentication , logging	7	4367	August 30, 2022
Disable (or hide) login with credentials 10.4 SonarQube Server / Community Build	2	736	February 21, 2024
SQ server audit logging? SonarQube Server / Community Build	5	2638	April 27, 2021

Sonarqube access logs format

Related topics