We use SonarQube Enterprise Edition 9.9.1.69595 to scan our Terraform repositories but seems like we cannot receive any notifications for example on certain vulnerabilities. We do know that we can receive notification for certain action like “New issues” “Quality gate changes” and a few more but not for what I have mentioned. Also we have noticed that having passwords on plain text will not be detected by SonarQube.
Is it possible somehow to setup those features and if they are not available at the moment is there any plan to be included on any future updates?
What kind of notifications are you expecting? “Certain vulnerabilities” is quite broad!
SonarQube includes some level of secret detection. It would be great if you could point to a specific example that isn’t being detected (some code that reproduces the false-negative)
There is a “Vulnerabilities” section so one option would be to be notified for all of them, specifically in our case we have added AWS Access/Secret Key in the code for testing purposes and it has been detected as a Vulnerability so we would like if possible to be notified as well in case that happens by mistake.
Ideally we would like also to be able to add additional email addresses to be notified by the SMTP address which is already configured, for example in case of a Vulnerability in the code it would be great a group of people to be notified and not only those who have " Set notifications" on the project level.
As noted previously, the built-in notifications will only let you subscribe to all new issues or a change in Quality Gate. If you’re looking for more flexibility in notifications, you might consider sending Webhooks to another system that is responsible for pushing out notifications to certain users / e-mail lists.
We tried to send notifications on Slack but unfortunately that did not work, can you please confirm the compatibility of Slack Webhooks with SonarQube? We have only found some 3rd party plugins that could help us achieve that but they are not maintained anymore. On the top of that i do not think you can control the type of notifications via Webhooks, we want to receive only certain alerts and not when every project analysis has been completed.
I believe detecting passwords on plain text should be part of the vulnerability scanning and i would expect to see that alert you have shared with me “MySQL database passwords should not be disclosed”.
As for the code sample the one i have posted here should be enough, otherwise if the responsible team needs it i can share it via email as it includes a module and variables which is not convenient to post it here.
This is a Community Forum, and we have certain rules and structures. I reccomend that you post a full code sample that can reproduce the issue in the appropriate category. Keep in mind that SonarSource also offers Commercial Support.
I reccomend that you post a full code sample that can reproduce the issue in the appropriate category. Keep in mind that SonarSource also offers