SonarQube users can write and use their own plugins. They can also to find and install 3rd-party plugins from the community.
This ability to extend SonarQube with plugins is an important feature, but these plugins are by definition not written by SonarSource and they can be a potential vector of vulnerabilty for SonarQube instances.
We want our users to be aware of the risk they are taking and we want to make sure they accept this risk before they install and use plugins.
Before installing plugins, we want SonarQube administrators to know and accept the corresponding risks. If they decide to install plugins, they should take this responsibility seriously.
- Currently, as a SonarQube administrator who is interested in using plugins, I can install them in 2 different ways:
- directly in SonarQube UI, from the Marketplace
- by deploying a plugin in the filesystem
- If I now want to start installing plugins, I should be aware of the risks. I should consent to taking those risks; before I can install and use some plugins.
- If I'm running a Commercial Edition and I have some specific needs, I should be able to find and install plugins. But, to be fully conscious of the risks, I should now install plugins manually.
- In the case of the first plugin installation, we expect administrators to consent to taking risks:
- before being able to install plugins from the Marketplace (Community Edition only)
- in the case of a manual installation (All Editions):
- in the Marketplace, before they start installing plugins manually
- or, once they manually installed them, before they are able to use SonarQube with their administrator account (a single consent is required)
- We don't want to add friction to the manual installation of plugins (startup failure, extra restart...). The process should require a consent from the administrators but must remain smooth.
- We want SonarQube administrators to know and explicitly accept the corresponding risks thanks to the following wording:
Title: Installation of plugins
Description: Plugins are not provided by SonarSource and you therefore install them at your own risk. SonarSource disclaims all liability for installing and using such plugins.
Button: I understand the risk
- For the instances which will upgrade to SonarQube 8.9+ with some plugins already installed, administrators should also accept the risks before being able to use SonarQube with their administrator account (a single consent is required).
- We expect the consent to disappear once accepted. An explanation should then remain in the Marketplace to remind users that plugins offered here are not provided by SonarSource.
Plugins available in the Marketplace are not provided or supported by SonarSource. Please reach out directly to their maintainers for support.
- In case of a manual installation, if the administrator decides to remove the corresponding plugins after discovering the warning at login, the request for consent should also disappear.
- Users of commercial editions should not be able to install plugins directly through the Marketplace. As a consequence, it should be easy for our users who upgrade to a commercial edition to understand that plugins from the Marketplace must now be installed manually.
- The WebService 'api/plugins/install' which allow to install plugins from the Marketplace should behave accordingly:
- In Community Edition: requiring the risks to be accepted before allowing to install plugins
- In Commercial Editions: failing with a clear message that explains plugins need to be installed manually.
The WebService documentation should reflect this behavior.
Introduce new property: sonar.plugins.risk.consent, which will hold value of the state of risk consent.
Possible values of the risk consent property:
- NOT_ACCEPTED - when there are no external plugins installed
- REQUIRED - when there is at least one external plugin installed and risk consent has not been accepted
- ACCEPTED - when users has accepted risk consent
Property should be hidden in the UI.
For ITs a new property can be set directly like: sonar.plugins.risk.consent=ACCEPTED.
Endpoint “api/plugins/install” will return 400 with appropriate message if risk consent has not been accepted or client tries to use this WS from commercial editions. Description of the WS should be updated to inform users about new behaviour.
System admins will be redirected to plugin risk consent page right after log in (or reset password) if `sonar.plugins.risk.consent` is set to REQUIRED. This will prevent from usage of SQ UI, rest of the users are unaffected.
Marketplace page will provide, a UI for a users to accept consent. Plugins installation from the marketplace will only be available in CE and once the risk consent is ACCEPTED.
In the documentation information about requirement of accepting risk consent on “setup/install-plugin” will be added.