What is Worst Case Scenario for sonar.login token leak?

I’m trying to determine all security concerns around handling of project-level sonar.login tokens.

  • Is it possible to log in to a self-hosted enterprise sonar instance with a project-level sonar.login token?
  • If is possible to pull or get any information using a project-level sonar.login token?
  • Does a project-level sonar.login token allow for any action other than telling the sonarqube instance that it’s okay to analyze a report?
  • If a user got ahold of a project-level sonar.login token, would it be possible for them to use it to access any information with it?
  • Is the worst case scenario that such a user could upload fake reports to be analyzed with SonarQube, but they wouldn’t be able to see any information about those reports?
  • Are there any other scenarios that access to a project-level sonar.login token could pose a potential security issue?


The best way to be certain about this is to test it. :smiley:

I don’t believe it’s possible to log into the UI with any type of token.

Analysis needs a certain amount of information about the project to run. So… yes. Can you use it to invoke measure APIs? I doubt it, but I haven’t tested.

Again, analysis needs information about a project in order to run the analysis. (Just take a peek at your analysis logs.) Analysis also needs to upload its report to the server; the token is used for that too.