Type: New Feature
Affects Version/s: None
Fix Version/s: 2.10
A feature of the SonarQube scanner for jenkins is that a jenkins build can be set to fail if the quality gate fails. This is implemented by configuring a webhook on SonarQube/SonarCloud side, the SonarQube scanner for jenkins provides a function waitForQualityGate()
that will wait for the webhook to be triggered after ce analysis finishes, and that will then break the build depending on the payload.
Since the end of support of public IPs the users of the SonarQube Scanner for Jenkins have to open up their jenkins instance to all IP addresses to receive webhooks from SonarQube instances outside their local network or SonarCloud. Besides that they have no way of verifying that incoming webhooks are in fact coming from SonarQube/SonarCloud instead of from malicious parties. Users have been complaining about this here: https://community.sonarsource.com/t/deprecating-the-webhook-ip/10423
SonarQube 7.8 and SonarCloud introduce a mechanism to sign webhooks. That allows consumers to verify the integrity and the origin of the received webhooks, the jenkins scanner should implement this verification. Because setting the secret is optional when configuring a webhook, the jenkins scanner should only verify the payload when a secret is set on Jenkins side. Adding the webhook secret to the jenkins instance should happen in a secure way. Since the waitForQualityGate() function is only available for users configuring their pipelines with Jenkins DSL, we will only support that use case.
We let users configure their secret in the jenkins credentials manager (this is already used for SONAR_TOKEN), and they have to give their secret an id. The jenkins scanner checks if a secret with a provided id is present in the credentials manager, if so it checks the signature of the incoming payload with the provided secret. If no secret is configured then all incoming payloads are accepted.