SonarQube GET api/projects/search

We have created a sonarqube tool user to query data using the web api. As expected, a user token has been generated to grant access. The problem we have is that querying through projects requires ‘Administer System’ permission see docs.
In my opinion the permission required for the user is too privileged.

I’m wondering if I’m the only person who thinks that it’s not the best idea to have admin rights just to query data…

Can anybody within the community recommend an alternative solution/workaround?

Using SonarQube:

  • Enterprise Edition Version 9.7.1

Hi,

To search for projects, you can also use this internal endpoint: components/search_projects. It’s the one used by the UI when you browse projects. Its does not require admin permissions, and you will get as results the projects that the user doing the query is allowed to see.

Keep in mind that our deprecation policy doesn’t apply to internal endpoints, so it might change without notice in the future.

Hi Pierre,

thank you for the quicky reply. The alternative solutions sounds reasonable, even though not the ideal solution for us because we are using the python-sonarqube-api lib. Do you know why exactly we need ‘Administer System’ permissions for GET api/projects/search? Does this call return any sensitive values? Asking out of curiosity.

Thank you in advance.

This endpoint is designed to be used by admins to list all projects, regardless of individual project permissions. It’s used in the SQ admin UI, to manage projects.

The sensitive value it returns is the very existence of projects.

1 Like

Thank you for clarifying it. :+1:

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.