Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource #893

Open
platformbeheer-otv opened this issue Dec 13, 2023 · 7 comments
Open

SonarQube (Enterprise EditionVersion 10.3 --build 82913) Content Security Policy blocking the plugin resource #893

platformbeheer-otv opened this issue Dec 13, 2023 · 7 comments
Labels
bug lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@platformbeheer-otv
Copy link

Describe the bug
We are currently using SonarQube Enterprise Edition Version 10.3. We are encountering an issue when integrating Dependency-Check reports using dependency-check Sonarqube plugin v4.0.0.
The report HTML file, which utilizes inline scripting, is blocked by CSP when we attempt to click on links and buttons to view dynamic content generated by scripting. The content of the overview is already present, but it cannot load or activate the appropriate elements dynamically due to CSP (content security policy) in SonarQube 10.3.

To Reproduce
Steps to reproduce the behavior:

  1. Initiate a Java build and verification process from the CI/CD pipeline in Azure DevOps using YAML format.
  2. The pipeline successfully scans the dependencies as configured in the Maven plugin dependency checker.
  3. An overview file named 'dependency-check-report.html' is generated locally on the build server.
  4. The SonarQube Publish Task uploads the overview file to the SonarQube Enterprise on-premises server.
  5. The SonarQube Plugin Dependency checker automatically integrates the overview file.
  6. Access the SonarQube web portal and navigate to the dashboard.
  7. From the Project Menu item, select [More] and then [Dependency Checker].
  8. The overview file should now be visible on the SonarQube Dashboard.
  9. Attempt to click on one of the [+] icon to expand the sections or click on one of the [suppress] buttons to view the related XML value in a popup.
  10. Observe that these click actions do not work due to CSP blocking.

Current behavior
Integrated HTML overview of the dependencies is shown on the Dashboard SonarQube. But it is not possible to click on any links and buttons

Expected behavior
Integrated HTML overview of the dependencies must be shown on the Dashboard SonarQube.
And it must be possible to click on any links and buttons in this overview

Screenshots
image

Versions (please complete the following information):

  • dependency-check-9.0.4
  • sonarqube (Enterprise EditionVersion 10.3 --build 82913)
  • dependency-check-sonar-plugin 4.0.0

Additional context
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 12, 2024
@Reamer
Copy link
Member

Reamer commented Feb 12, 2024

The following change may help you. #765
However, the PR requires a rebase and must of course be transferred in your source code copy. You will then have to build and install the plugin manually yourself.

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 13, 2024
@kascaks
Copy link

kascaks commented Mar 5, 2024

I'm experiencing the same problem also with sonar-dependency-check-plugin-5.0.0 on sonarqube Community Edition 10.3 (build 82913). The report opens in new tab, but buttons still don't work as sonarqube is serving response header with CSP script-src 'self' so inline scripts are blocked. I tried that with Firefox , Chrome and Opera. They all block it (message can be seen in developer console).

@kevinrossnl
Copy link

I'm experiencing the same problem also with sonar-dependency-check-plugin-5.0.0 on sonarqube Community Edition 10.3 (build 82913). The report opens in new tab, but buttons still don't work as sonarqube is serving response header with CSP script-src 'self' so inline scripts are blocked. I tried that with Firefox , Chrome and Opera. They all block it (message can be seen in developer console).

Same for us, issue persists in new tab.

@Reamer
Copy link
Member

Reamer commented Mar 19, 2024

There is not much I can do here, the whole display of the HTML report is very hacky.

@Reamer Reamer added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Mar 19, 2024
@kevinrossnl
Copy link

There is not much I can do here, the whole display of the HTML report is very hacky.

See releasenotes 10.0 about changes to security: https://docs.sonarsource.com/sonarqube/latest/setup-and-upgrade/release-upgrade-notes/#release-10.0-upgrade-notes

And this page with help regarding pages: https://docs.sonarsource.com/sonarqube/latest/extension-guide/developing-a-plugin/adding-pages-to-the-webapp/

It might help you?

@Reamer
Copy link
Member

Reamer commented Mar 19, 2024

Unfortunately not, because the complete HTML file with inline script comes from dependency-check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Reamer @kascaks @kevinrossnl @platformbeheer-otv