search

AmadeusITGroup / sonar-stash

Stash (BitBucket) plugin, a pull-request decorator which allows to integrate SonarQube violations directly into your pull-request
MIT License
165 stars 82 forks source link

Configure Stash User Password in Sonar configuration #17

Closed christiangalsterer closed 8 years ago

christiangalsterer commented 8 years ago

Currently the password has to be specified as property. The problem here is that the password is then visible to everyone having access to log output. This is problematic, e.g. for Jenkins where you want/need to keep the password private. Furthermore having all configuration side-by-side with the user name makes the configuration easier and more consistent.

christiangalsterer commented 8 years ago

A fix is available in PR #18.

acopet commented 8 years ago

Hello Christian,

First of all, thank you very much for this contribution! I am going to explain there why we do not expose Stash password in configuration page.

First beta version of Stash plugin contained User password in SQ configuration page. After a discussion with SonarSource, they showed us this is not the proper way to handle a password within SonarQube. Indeed, this solution implies an important security issue: all properties can be retrieved directly from following SQ Rest API. And so we will expose Stash credentials...

Best solution to handle this limitation is so to provide the password in command line and hide this password within Jenkins with the help of dedicated "hidden" plugins (for instance, Credential password, Mask Passwords plugin).

For your information, if you really need to store password, SQ proposes a naming convention to set secured properties (for instance license keys): just suffix them with "secured". And obviously, these properties will not be exposed though Web Services.

christiangalsterer commented 8 years ago

Thank you for the update. As there seems to be a away to "secure" a property when it has a "secured" suffix I would suggest to follow this track. The benefits I see are

What do you think? If you agree, I would do the necessary changes.

acopet commented 8 years ago

Yes, I have forgot the principal: secured property is not exposed through Web Services and cannot be accessed in preview and incremental mode. We will face the following issue:

Access to the secured property 'sonar.stash.password.secured' is not possible in preview mode. The SonarQube plugin which requires this property must be deactivated in preview mode.

Unfortunately, with this status, "secured property" solution cannot be chosen to implement the authentication... :(

christiangalsterer commented 8 years ago

So it seems that indeed the only solution is to rely on tools like the Jenkins Mask plugin. I will update the PR for #20 so that the relevant parts are available.