Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-16204

Drop SHA1 legacy hash method

    XMLWordPrintable

    Details

    • Edition:
      Community
    • Production Notes:
      None

      Description

      SHA1 was used to hash passwords in SonarQube. It has been replaced by bcrypt in 2018 and PBDKF2 in 2021.

      We kept the SHA1 implementation for compatibility, allowing users to log-in with their password (tested against the SHA1 hashed version), and update the hashed password with the new algorithm, allowing a smooth and transparent transition.

      To reduce the surface of the attack on SonarQube, we now want to drop and remove this possibility. Users who did not log in since 2018 will have to ask an administrator to reset their password.

      • Users impacted won't be able to log in anymore. A SonarQube admin need to reset their password
      • Upgrade Notes: mention that local users who did not log in since SonarQube 7.2 have their password deactivated, a SonarQube admin need to reset their password
      • Database Migration: list all users that use a removed hash algorithm, log it as a warning in the migration logs

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              aurelien.poscia Aurélien Poscia
              Reporter:
              pierre.guillot Pierre Guillot
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: