SonarQube provides a built-in technical account with default credentials to make it simple for users to discover and evaluate it.
Keeping those default credentials when the instance goes into production and becomes available on the Internet can let the instance exposed to intrusions.
Administrators who want to keep this account must change the default password.
We want SonarQube to:
- prevent new instances from using built-in credentials before the instance becomes publicly available,
but not introduce friction for the first time exploration of SonarQube
- incite existing instances that upgrade to stop using built-in credentials.
- As a user who discovers SonarQube, I want to easily be able to run a project analysis and discover the functionalities of the product.
When I am ready to go into production, I want my instance to, by default, not be exposed to trivial intrusions that would use default credentials.
- If I'm upgrading from old instance which was still using default credentials, I want to be warned that my instance can be exposed and be encouraged to change my credentials.
- First user experience should be easy for a user who doesn’t know SonarQube:
- unpack the zip file/pull the Docker image
- log in to the UI
- discover the product
- analyze a project
- We want to implement a minimal increment to secure by default new instances and to help secure existing instances, but not any extra mile to for example force a password policy.
- Upgrading SonarQube should remain as simple as starting up the new version. It should not require a change in configuration.
- We don't want to expose more widely the fact that an existing instance is not properly configured. We expect the administrators to be the only ones to be notified of this problem and to be incited to change the credentials. We can then expect that the administrators will take the appropriate action.
Both on new and existing instances, we'll force an admin who connects with the default credentials to change the admin password.
For an existing instance which upgrades, if default credentials are detected:
- SonarQube should log a warning (in sonar.log) that admin credentials are set as default and that they need to be changed.
- Nice-to-have: the instance has SMTP configured, an email will be sent at startup to the SonarQube administrators to warn about defect.
- Add ‘reset_password’ boolean flag to users table.
- Prepare migration which populates this value as ‘false’ , except for admin user who still use admin as password.
- new password should not be same as previous one
- Local user after successful login which has ‘reset_password’ flag set as true, should be redirected to unskippable form under `/sessions/reset_password` url with following fields:
Title: Your password has been asked to be reset
- Old Password
- New password
- Confirm password
- With actionable button Change. After clicking on a button web should use api/users/change_password WS in order to change password of user.
- If default credentials are detected, log a warning in sonar.log
- Update frontend ITs to not use default credentials (create admin user if needed)
- Nice-to-have: If default credentials are detected, send an email to all administrators
- Nice-to-have: Add an authentication log when a user reset its password