SonarQube and Web Application Firewalls

Must include info:

  • We are running SonarQube Version 9.9 (build 65466), Scanner MSBuildAgent 5.13.
  • The Sonar Qube server is deployed in an Azure Tenant, running on a windows VM, with IIS serving as a reverse proxy to enable SSL. The configured datastore is Azure SQL Server. The connection to the server is fronted by Azure Front Door, which is implementing a Web Application Firewall. The web application firewall is utilizing the Azure Default Rule Set 2.1 (this is baselined off of the OWASP Core Rule Set 3.3.2)
  • I am trying to determine if there is an established set of exclusions for the Sonar Qube server for this ruleset that can be implemented.
  • I have searched the web and forums, and found references to issues related to Web Application Firewalls, but have not found any official guidance

Noting the above configuration, we are trying to understand the most secure way to configure our web application firewall to eliminate false positives when it inspects SonarQube traffic utilizing the OWASP Core Rule Set (OWASP) 3.3.2.

The web application firewall is a mandated defense in depth requirement by our Information Security team, and rather than starting from scratch in figuring out what exclusions are required - we would like to understand if there is any documented exclusions for SonarQube in relation to the Core Rule Set.

Is anyone aware of any documented exclusions to support SonarQube on premise behind a WAF (specifically the OWASP Core Rule Set)? Before we attempt to go through the effort of identifying and remediating the false positives, we would like to understand if the Sonar Source or the community has any guidance on this subject.

Hey there.

As far I know, we’ve run into two reports about the Azure WAF:

Fixed by disabling Multipart parser detected a possible unmatched boundary.

And this issue related to GitHub-driven authentication:

Still being diagnosed.

Otherwise, we haven’t heard any other reports of issues. Others might be able to chime in, but unfortunately no specific guidance from SonarSource.

Hi Colin,

Thank you for the response. We are definitely encountering the first issue from sonar scanner, but we are also hitting some within the web administration tool. If there is no specific guidance, we will investigate the false positives we are encountering in our environment, and work through them.

Regards,
Tim

I invite you to share any findings here, to help future users (and inform us, to see if some official documentation is warranted or changes in the product, or if we need to give feedback to Microsoft…).