[TRANSPARENCY] Disable default server info collect by SonarSource

sonarqube
security
(Benoît Garçon) #1

By default, SonarSource collects server information about all SonarQube instances.

This collect can be disabled by setting the property sonar.telemetry.enabled to false.

But by defaut, this is enabled and SonarQube servers send server information to https://telemetry.sonarsource.com/sonarqube avery 6 hours. Collected information are those provided by /api/system/info.

No information is openly provided to users about telemetry feature and its default configuration.

It would be more transparent and ethic towards users and the community to set this feature to false by default, or at least warn them about telemetry before they launch a SonarQube server.

I suggest those changes: https://github.com/SonarSource/sonarqube/pull/3199

(Benoit) #9

Hi Benoît,

Sorry for the late reply.

The information is shown in the web.log at startup and in the default sonar.properties file. Also, I think it’s important to say that the information collected is anonymous and only used internally to help making product decision.
We totally understand your point, but disabling the telemetry by default will significantly reduce the amount of data we receive. So because those data have a lot of values, it has (unfortunately) been decided to not change the default behavior.

We could improve the visibility of the default behavior by showing it somewhere in the UI, but because its the first time we received such request, and it has only two votes, we won’t do it for the moment.

I hope you’ll understand our decision.
Benoit

(Adam Gabryś) #10

Hello Benoit,

Fair enough for me :slight_smile:

(Benoît Garçon) #11

Hello everyone,

We understand your needs.

It is a good first step.

Thanks for the answer and time spent on this request.
Benoît