Upgrade from 7.9.1 to 8.9 LTS - webhook ceased to work

Template for a good bug report, formatted with Markdown:

  • versions used (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube CE 8.9.0

  • error observed (wrap logs/code around triple quote ``` for proper formatting)
    After upgrading from 7.9.1 to 8.9.LTS, everything seemed to work fairly smoothly, but my Jenkins Webhook was missing. I wasn’t able to recreate it due to

Invalid URL: loopback and wildcard addresses are not allowed for webhooks.

Our setup is: Jenkins and Sonarqube run on the same machine (yes, I know…) with an nginx reverse proxy routing the traffic. Since Sonarqube and Jenkins share the same host, this message occurs.
I’ve tried

  • using the unproxied Jenkins URL (which contains a different port, 8080)
  • using the IP
  • using localhost

It’s always the same message.

I then tried to create a functioning webhook with a non-existing url and add the correct URL directly in the Database. This led to the following in the CE log

message=Invalid URL: loopback and wildcard addresses are not allowed for webhooks.

I don’t know where this restriction has come from, but it should be overridable (maybe just a warning?). In any case, a URL going to another port than the one Sonarqube is reached on shouldn’t be considered a loopback interface in any case.

  • steps to reproduce
    Run Jenkins and Sonarqube on same machine, try to create a Webhook to Jenkins from Sonarqube

  • potential workaround
    I will have to use another host temporarily to serve as a proxy.

Hey there.

This was noted in the Upgrade Notes:

Webhooks aren’t allowed to target the instance
To improve security, webhooks, by default, aren’t allowed to point to the SonarQube server. You can change this behavior in the configuration. (SONAR-14682).

You can change this behavior in the global configuration: Administration > General Settings > Security, setting “Enable local webhooks validation” to false.

Disabling this setting can expose the instance to security risks.

I read the Notes at LTS to LTS Release Upgrade Notes | SonarQube Docs and somehow managed to miss this. Sorry for that and thanks so much for your answer. Everything works now

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.