I’m trying to determine all security concerns around handling of project-level sonar.login tokens.
- Is it possible to log in to a self-hosted enterprise sonar instance with a project-level sonar.login token?
- If is possible to pull or get any information using a project-level sonar.login token?
- Does a project-level sonar.login token allow for any action other than telling the sonarqube instance that it’s okay to analyze a report?
- If a user got ahold of a project-level sonar.login token, would it be possible for them to use it to access any information with it?
- Is the worst case scenario that such a user could upload fake reports to be analyzed with SonarQube, but they wouldn’t be able to see any information about those reports?
- Are there any other scenarios that access to a project-level sonar.login token could pose a potential security issue?