0

I have a single Sonar instance analyzing codebases of different projects owned by different customers. I need to ensure non of the project teams can manipulate the sonar/machine security to access codebases of other projects (For example through a malicious unit test, or through a script to create a backdoor).

I can use Windows security to create restricted user accounts that just have access to project specific folders. Then I can use that Windows account to schedule a task to perform code download from SCM and trigger Sonar Runner in triggering the analysis.

Now my question is this. When I run Sonar Runner under a particular Windows user account, will the real sonar analysis/unit test execution run within a sandbox of that particular user account?

If not, is there a mean of sandboxing different projects to achieve my goal?

Hasith
  • 1,729
  • 20
  • 25

1 Answers1

1

I don't know how Windows security works, but generally speaking, creating a user (or several users if you want to) with restricted permissions should indeed protect your Sonar server from most issues.

Fabrice - SonarSource Team
  • 25,304
  • 3
  • 57
  • 55
  • Thanks Fabrice for being very active on this space.. really appreciate that. I will be more specific here.I have Sonar server running under UserAccountA (be it Windows or Linux). If I use AntTask to run an analysis under UserAccountB, will the real analysis (UnitTests, etc) be executed under UserAccountA or UserAccountB? – Hasith Jan 07 '13 at 12:05
  • In essence I'm asking when I execute SonarRunner or AntTask, will the real analysis happen in the same OS process? OR does the AntTask, SonarRunner just update the database to schedule a analysis? – Hasith Jan 07 '13 at 12:18
  • 1
    The actual SonarRunner/Ant/Maven analysis will be run under UserAccountB. Only the Sonar server will be run under UserAccountA. – Fabrice - SonarSource Team Jan 07 '13 at 13:01
  • This is wonderful! Absolutely what I need in implementing security! Thanks again! – Hasith Jan 08 '13 at 00:13