My company has an SonarQube, and we need to expose it to the internet. SonarCloud is not an option now.
Now we were able to create a reverse proxy, using PingAccess, and then we can reach SonarQube, but the problem is that it is fully opened to the internet and the usage of token to authenticate is very weak according to our security team, then we should use token + a certificate for example. The first try was to use ping federate token, but then the header classes with the sonarqube token.
We would like to know how if it is possible to use mTLS, where the client would have a valid certificate and only when it is valid the connection is established. Or any other option is welcome in order to make it more secure.
I don’t know PingAccess, but looking at the description on their website, isn’t the whole purpose to provide strong access control “down to the URL”? This would seem easier than using mTLS. Anyway, SonarQube itself does not support mTLS. This kind of authentication has to be deferred to the reverse proxy. I don’t know about PingAccess, but this could be done using NginX, for example.
I’d also be interested in knowing why your security team thinks the token is very weak.
After some months, the infra team here found out how to configure PingAccess. Also we did some PoC using nginx and it worked fine.
About token, the security team said that if a token is exposed, it would be easy to some hacker steal data from Sonar. The having mTLS it would make it more difficult as the client certs will be issued in a controlled way.
Now I have another question, how can I pass the client certificate during my sonarqube analysis? I tried lot of options, using javax variable, sonarqube env variable for extra configuration, and nothing worked.
I’m still not really sure why there is an issue with using a token, as this is a very common practice. It’s not unique to SonarQube.
Anyway, we do not provide any other access control. Certificates are managed by the JVM directly, the scanner doesn’t do anything specific about this (and cannot, in fact). You should have a look at how to configure truststores in Java (check $JAVA_HOME/lib/security/cacerts), and you should use keytool to manage them.
The main problem in our scenario is that we use a on premises SonarQube, not sonarcloud. Due that, allow access from internet using a token, is a security breach in case some bug is present somewhere. If someone with a token, knows how to explore some breach in SonarQube, maybe it will allow the person to reach the source code or our internal network. It is really hard to do, but the security team cannot consider the risk.
Anyway, in another post I posted that I implemented a way to have mtls using this scanner. Also I submitted a PR to the scanner, also linked in that post.