2

The Release notes for SonarQube 5.2 indicate that scanners no longer access the database directly.

With SonarQube 5.1, it's possible to ensures that the dashboard only ever shows reports on code in version control by configuring the database to only accept connections from the build server.

With SonarQube 5.2, I wouldn't expect this approach to work, because scanners aren't connecting directly to the database.

How can SonarQube 5.2 be secured so that only the build server can update the results shown on the dashboard?

Martin Ellis
  • 9,603
  • 42
  • 53

1 Answers1

2

This is really straightforward:

  1. Make sure that your build server runs SQ analyses with non-empty sonar.login and sonar.password properties

    • Usually, the user corresponding to this sonar.login is a technical user

  2. In the SQ Web Administration console, go to "Security > Global Permissions" and make sure that only the user corresponding to sonar.login has the "Execute Analysis" permission

Note that this can (or I'd even say "should") be done even on versions older than 5.2.

Fabrice - SonarSource Team
  • 26,535
  • 3
  • 62
  • 58