I'd like to configure SonarQube so that developers can generate an HTML report locally (in 'issues' mode), but not be able to publish reports on the SonarQube server (in 'publish' mode).
Instead, I'd like the CI server to be the only system with access to publish results (using a 'technical' user).
The Release notes for SonarQube 5.4 indicate that the "Execute Preview Analysis" permission has been removed.
There is an "Execute Analysis" permission, but from what I've understood, this is required for both 'issues' mode and 'publish' mode.
Right now, the Execute Analysis permission has been granted to 'Anyone'. This allows the Maven plugin to perform an analysis (issues or publish mode). However, sonar-runner (and sonar-scanner) both seem to need a login token configured before they can run even a preview analysis. This inconsistency seems confusing.
How can SonarQube 5.4 be secured so that only the build server can update the results shown on the dashboard?
This is pretty simple:
Make sure that the "Execute Analysis" global permission is granted only to a "technical" user and configure your CI server to pass credentials of this user to the Maven command
=> This will allow the CI to push analysis reports to the SonarQube server, but prevent any other user to do so.
Make sure that every other user has the "Browse" permission on the projects
=> This will allow any user to run an "issues" analysis and therefore generate an HTML report
Related
Sonar Server 6.7.1.
I have following queries wrt how permission works in SonarQube
1. How to enable window NT authentication on sonar portal. I believe by default it is open to everybody, no authentication.
Using sonar admin account I can create the quality profiles (add/remove rules) & assign it to a project. Can I do it as project admin account as well? My use case is I have couple of projects hosted, I do not want to share admin account with each project.
I created many users and groups on sonar portal, but I could not see them under Global Permission page. How to projet administrators?
Let's say I have set of issues reported by sonar for a project. From the portal I want to mark some of the issues as "Won't fixed". What is the minimal permission required user/project admin/sonar admin to do it?
Appreciate your response on above queries.
Disable anonymous access: Disallow anonymous users to access Sonar
You need Administer Quality Gates global permission
You have to start typing username you are looking for in Search field
You need Administer Issues project permission
Please take a look at SonarQube documentation: https://docs.sonarqube.org/display/SONAR/Authorization
I am developing a plugin for SonarQube 6.3.1 which execute an analysis and then generate a docx report.
The problem is that I have to wait between these both actions that SonarQube finishes its REPORT task. My plugin is destined to lambda users so without Administrator permissions: so I can not use activityStatus service.
Is there an other way to know if the reporting of a project in SonarQube is terminated? (inside a plugin)
Your analysis take place on the server side ? I think you should run it on a client side, not server side.
Write a plugin with #BatchSide and implements org.sonar.api.batch.postjob.PostJob.
Then your method will execute soon analysis is finish (as you requested)
See https://github.com/SonarSource/sonar-custom-plugin-example/blob/master/src/main/java/org/sonarsource/plugins/example/hooks/DisplayIssuesInScanner.java
And by the way with PostJobContext object you have all infos you need to fill a custom report
The analysis parameters page in the documentation states that if Anyone (the pre-existing group of users) does not have permission to perform analyses, you'll need to supply the credentials of a user with Execute Analysis permission for the analysis to run under.
I've allowed the group "Anyone" (and no other group or user) in my SonarQube instance (Version 5.4) to perform analysis in the global permissions page but I'm still getting an error message when analyzing my project with the SonarQube scanner for Maven. I have this issue since the upgrade to 5.4 from 5.3. It fails at
[INFO] Load user information
[DEBUG] GET 401 http://sonar.all.alcatel-lucent.com/batch/users?logins=someUser | time=78ms
with the error:
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.0.1:sonar (default-cli) on project xxxx-parent: Not authorized. Analyzing this project requires to be authenticated. Please provide the values of the properties sonar.login and sonar.password.
I'm running the analysis in issues mode for the needs of a Jenkins plugin. I don't get the same issue in normal mode or on other projects. While looking at the project's permission, Anyone can browse, see source code and execute analysis. I've also tried settings up a user with every right on that project and providing the credentials in parameter. I get a similar behavior but with this message:
Not authorized. Please check the properties sonar.login and sonar.password
I've also tried with a user in a group that has every right on that project. I don't really understand how to configure that execute analysis permission. I believe these 2 issues (from the 5.4 upgrade note) are involved in some way but that's just a guess.
https://jira.sonarsource.com/browse/SONAR-7174
https://jira.sonarsource.com/browse/SONAR-7242
Thank you in advance for your answers.
Alexis.
The WS batch/users can't be accessed in anonymous way. So your first issue is expected (ie error 401 when trying to access it without credentials).
Now regarding your second attempt with credentials please provide the WS that is failing. The account you are using should have "analysis permission" either globally or for the project you want to analyse in preview mode.
The Release notes for SonarQube 5.2 indicate that scanners no longer access the database directly.
With SonarQube 5.1, it's possible to ensures that the dashboard only ever shows reports on code in version control by configuring the database to only accept connections from the build server.
With SonarQube 5.2, I wouldn't expect this approach to work, because scanners aren't connecting directly to the database.
How can SonarQube 5.2 be secured so that only the build server can update the results shown on the dashboard?
This is really straightforward:
Make sure that your build server runs SQ analyses with non-empty sonar.login and sonar.password properties
Usually, the user corresponding to this sonar.login is a technical user
In the SQ Web Administration console, go to "Security > Global Permissions" and make sure that only the user corresponding to sonar.login has the "Execute Analysis" permission
Note that this can (or I'd even say "should") be done even on versions older than 5.2.
In the similar question Sonar-Runner talks to the local database "David RACODON - SonarSource" wrote:
The SonarQube Runner needs to talk to both the database and the web server.
I'm will try to understand why Sonar Runner talks do sonar database, because somebody who use sonar runner will known database user and password and do anything on it, for example change admin password and take control on Sonar instance.
On the other hand, at sonar runner docs (http://docs.sonarqube.org/display/SONAR/Installing+and+Configuring+SonarQube+Runner) I see info:
The SonarQube Runner is recommended as the default launcher to analyze a project with SonarQube.
So, it means that I should give database password to each developer of my team? This is inconsistent. Could somebody explain it?
SonarQube needs to talk to the database in order to save the results (metrics) of the analysis.
I will not talk about all the different possibilities that you can implement in order to avoid SonarQube's users to know the admin login, but here is the one I use:
SonarQube + Runner
Jenkins with Sonar plugin
This post (on my blog) is 1 year old http://qualilogy.com/en/install-sonarqube-the-sonarqub-jenkins-plugin/) but it will give you an idea.
You already have SonarQube + Runner installed.
Install Jenkins
Install SonarQube plugin for Jenkins
Configure the plugin:
Location of Runner
SonarQube dashboard URL
Connection to the DB : password is encrypted.
Then, when configuring and running an analysis from Jenkins, no need to use any DB login as a parameter.
Hope it helps.
As of version 5.2, this is no longer the case. Now, all DB credentials/connections are managed by Sonar itself, not the runner.