JRE cache: JRE downloads which download from sonar.scanner.sonarcloudUrl or sonar.scanner.apiBaseUrl should have an authentication header

Question

JRE cache: JRE downloads which download from sonar.scanner.sonarcloudUrl or sonar.scanner.apiBaseUrl should have an authentication header

martin-strecker-sonarsource opened this issue 5 months ago · 2 comments

martin-strecker-sonarsource commented 5 months ago

When downloading resources (JRE, scanner engine, …), special care should be taken not to leak the token to a third-party endpoint. If the downloadUrl starts with the same path as sonar.host.url or sonar.scanner.apiBaseUrl, then the token should be passed. Otherwise, we assume there is no authentication required.

From the spec

We do not pass the token if the download URL starts with either sonar.scanner.sonarcloudUrl or sonar.scanner.apiBaseUrl

See #2024 (comment)

Answer 1 · 2024-10-28T14:21:03.000Z

Hi @martin-strecker-sonarsource, this is not very clear. Could you please add to the description what is the expected new behavior?

Answer 2 · 2024-10-28T20:16:42.000Z

According to the spec, a bearer token should be sent when downloading the JRE if the download URL returned by the server starts with either the sonar.scanner.sonarcloudUrl or the sonar.scanner.apiBaseUrl path. So if the returned JSON from the JRE endpoint returns something like, e.g.

{
    "downloadUrl": "https://myserver/SonarQube/api/JRE/download",
}

and either sonar.scanner.sonarcloudUrl or sonar.scanner.apiBaseUrl are either of these values

https://myserver/
https://myserver/SonarQube/
https://myserver/SonarQube/api/

then the Bearer token should be sent.