[TRANSPARENCY] Disable default server info collect by SonarSource

sonarqube
security

(Benoît Garçon) #1

By default, SonarSource collects server information about all SonarQube instances.

This collect can be disabled by setting the property sonar.telemetry.enabled to false.

But by defaut, this is enabled and SonarQube servers send server information to https://telemetry.sonarsource.com/sonarqube avery 6 hours. Collected information are those provided by /api/system/info.

No information is openly provided to users about telemetry feature and its default configuration.

It would be more transparent and ethic towards users and the community to set this feature to false by default, or at least warn them about telemetry before they launch a SonarQube server.

I suggest those changes: https://github.com/SonarSource/sonarqube/pull/3199