What is Sonar?
SonarSource developed a platform called SonarQube as an open-source tool for continuously evaluating the caliber of new code. Static code analysis is done by Sonar, which produces a detailed report of mistakes, code smells, vulnerabilities, and duplicate lines of code.
It has built-in rulesets for more than 25 of the most popular programming languages and may be enhanced with various plugins.
Why should we use SonarQube?
The risk associated with software development is quickly and drastically reduced via SonarQube. It automatically identifies bugs in the code and alerts programmers to fix them before releasing the program for usage in production. SonarQube also highlights the intricate parts of the code that are less covered by unit tests.
Authentication in SonarQube
SonarQube features an integrated user database and supports HTTP headers, LDAP, SAML, GitHub, GitLab, and Bitbucket Cloud for authentication delegation. Each strategy offers user identity management, authentication, and group synchronization/mapping.
Types of Token
- User Token:-
These tokens have the ability to be used to run analyses and call web services depending on the token author’s permissions.
You can access all the user’s permissions when you have a user token. You have total access to the instance if you have a global admin’s user token. Any action a user may take through the UI can be duplicated using user tokens and the Web API.
- Project Analysis Token:-
These tokens have the ability to be used to run analyses and call web services depending on the token author’s permissions. You can access all the user’s permissions when you have a user token. You have total access to the instance if you have a global admin’s user token.
NOTE:– Due to security issues, tokens for project analysis are advised. An attacker would only be able to contact associated web services that need the Execute Analysis privileges or analyze a single project if such a token were compromised.
- Global Analysis Token:-
These tokens can be used by any project to do analyses.
To produce global analysis tokens, the user must have the Global Execute Analysis Permission.
If the author of the token loses access to Global Execute Analysis, they will no longer be able to run analyses utilizing the token.
How to Generate a Token
- Sonar Dashboard Server login
- On the page’s top right, click the name of the logged-in user, then select My Account.
- On the My Account page, select the Security tab.
- Enter a token name (any text you can recall), type, and expiry duration in the Token Section. Next, press the Generate button.
- Successful token creation has occurred.
By specifying the token type in the box at the top of the page, you can generate new tokens. If you don’t want your token to expire, you can select “no expiration”. If you select an expiration date and your system administrator has configured SonarQube to send email reminders, you will get a notice 7 days before your token expires to rotate it. However, if the token is not revoked before it expires, you will get a second email telling you that it is no longer valid.
Revoking a token
By clicking Revoke next to an existing token then finally, you can revoke it from User > My Account > Security.
Expired tokens
User tokens are employed in the following situations:-
- When performing studies on your code, use the token as the value of the sonar.token property or set up the SONAR_TOKEN environment variable and provide the token as its value.
- When calling web services, pass the token via the bearer or basic HTTP authentication mechanism (see User token).
- In any case, you are not needed to provide a password. utilizing a token is an alternative to utilizing a login and password.
Expiration date in HTTP response
When utilizing a token to communicate with web services, the response will contain an HTTP header called SonarQube-Authentication-Token-Expiration. However, this header contains the token expiration date, which can help third-party software keep track of impending expirations. The token can be rotated in time using this method.
Conclusion
It is recommended to use tokens for security. If such a token leaked, an attacker could only use it to communicate with the linked web services that require Execute Analysis rights or to analyze a specific project. SonarQube users have the ability to generate tokens that can be used to conduct analyses or make web service calls without disclosing their actual login information. On this basis, a secure Sonarqube token may be produced, which can then be used to examine the code.
