jenkinssonarqubecsrfx-frame-options

Sonarqube 4.2 X-Frame options and Cross site scripting vulnerabilities


I am running a Sonarqube 4.2 instance on a linux box. Since in our system we have a central portal page from where we navigate to all the child pages, I need to have sonarqube inside a frame. When I have an href, Sonarqube is denying which I guess is due to X-Frame options set as SAMEORIGIN. Any clue how we can modify this?

Also I need to provide CSRF protection in sonarqube. For jenkins, it comes with a built in option to enable CSRF protection. Does sonarqube have anything similar?

Thanks in advance for all the inputs.


Solution

  • For the X-Frame option, this has been fixed in SQ 5.1 and you can actually verify this on our Nemo instance.

    For the CSRF protection, we have an open ticket about this: SONAR-5040. Note that when an XSS vulnerability is discovered, we always fix it in the upcoming version as well as in the latest LTS version (currently 4.5.x).