2

I'd like to configure SonarQube so that developers can generate an HTML report locally (in 'issues' mode), but not be able to publish reports on the SonarQube server (in 'publish' mode).

Instead, I'd like the CI server to be the only system with access to publish results (using a 'technical' user).

The Release notes for SonarQube 5.4 indicate that the "Execute Preview Analysis" permission has been removed.

There is an "Execute Analysis" permission, but from what I've understood, this is required for both 'issues' mode and 'publish' mode.

Right now, the Execute Analysis permission has been granted to 'Anyone'. This allows the Maven plugin to perform an analysis (issues or publish mode). However, sonar-runner (and sonar-scanner) both seem to need a login token configured before they can run even a preview analysis. This inconsistency seems confusing.

How can SonarQube 5.4 be secured so that only the build server can update the results shown on the dashboard?

G. Ann - SonarSource Team
  • 20,814
  • 3
  • 32
  • 60
Martin Ellis
  • 9,263
  • 39
  • 53

1 Answers1

2

This is pretty simple:

  • Make sure that the "Execute Analysis" global permission is granted only to a "technical" user and configure your CI server to pass credentials of this user to the Maven command
    • => This will allow the CI to push analysis reports to the SonarQube server, but prevent any other user to do so.
  • Make sure that every other user has the "Browse" permission on the projects
    • => This will allow any user to run an "issues" analysis and therefore generate an HTML report
Fabrice - SonarSource Team
  • 25,304
  • 3
  • 57
  • 55
  • This doesn't quite work in the sonar-runner/scanner case. There's no Browse permission in the Global Permissions UI, but even where all projects have Browse enabled for everyone, sonar-runner still fails on the request to /batch/users. – Martin Ellis Mar 22 '16 at 16:50
  • You must have missed some configuration. If the developer runs sonar-runner/scanner using his/her credentials, this just should work perfectly (I've tested this yesterday). – Fabrice - SonarSource Team Mar 23 '16 at 07:41
  • Yes, I mentioned that I've done that in paragraph 5. The inconsistency I referred to is that developers using Maven don't need to configure credentials, but developers using sonar-runner/scanner do. – Martin Ellis Mar 23 '16 at 10:01
  • I'm sorry @MartinEllis but I can't manage to reproduce this behaviour. :-( If I try an "issues" analysis anonymously, may I use Maven or the SQ Scanner, I get an "Unauthorized" error in both cases. Maybe you could write a scenario (starting from a fresh install) somewhere (on pastebin.org for instance) so that I can try to reproduce under the exact same conditions? – Fabrice - SonarSource Team Mar 23 '16 at 10:59
  • Since it fails on a request to /batch/users, I suspect this may be related to some combination of LDAP and SCM settings. Will need to look into it further. – Martin Ellis Mar 23 '16 at 12:49