SonarQube server that has FIPS crypto requirements (enabled)

SonarQube will not run on Linux hosts where FIPS (Federal Information Processing Standard) is enforced. (from Prerequisites and overview)

Why won’t it?

Hey there.

SonarQube uses some encryption algorithms that aren’t FIPS compliant. That might sound like a bad idea, but these algorithms have been used in non-security sensitive ways for a long time in SonarQube… but that doesn’t matter, because in a FIPS-environment those usages will simply fail.

I can tell you this is an active topic right now, with progress being made (I just read the output of an investigation sprint). Hopeully more to share soon :pray:

For what it’s worth, we have more than 1,000 live instances being used by the federal government even without this compliance. You can read more here.

1 Like