Vidoc logo

Module library

All modulesVisit vidocsecurity.com
Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Start for free

Sonarqube with public projects

By kannthu

Low
Vidoc logoVidoc Module
#sonarqube#misconfig
Description

What is "Sonarqube with public projects?"

The "Sonarqube with public projects" module is designed to detect misconfigurations in Sonarqube instances that have public projects. Sonarqube is a popular open-source platform for continuous code quality inspection. This module focuses on identifying potential security vulnerabilities in the configuration of Sonarqube instances.

This module has a low severity level, indicating that the detected misconfigurations may not pose a significant risk but should still be addressed to ensure the security of the Sonarqube instance.

This module was authored by sickwell.

Impact

If misconfigurations are found in a Sonarqube instance with public projects, it could potentially expose sensitive information or allow unauthorized access to the projects. This could lead to the leakage of proprietary code, sensitive data, or even unauthorized modifications to the projects.

How does the module work?

The "Sonarqube with public projects" module performs HTTP requests to the Sonarqube API to check for specific responses that indicate misconfigurations. One example of an HTTP request made by this module is:

GET /api/components/suggestions?recentlyBrowsed=

The module then applies matching conditions to the responses received from the API. In this case, it checks for a response status code of 200 and specific keywords in the response body, such as "results," "items," and "more." If all the matching conditions are met, the module reports a vulnerability.

By analyzing the responses and applying matching conditions, the module can identify potential misconfigurations in Sonarqube instances with public projects.

It's important to note that this module is just one test case within the Vidoc platform, which utilizes multiple modules to perform comprehensive scanning and detection of misconfigurations, vulnerabilities, and software fingerprints.

For more information, you can refer to the Sonarqube API documentation.

The maximum number of requests made by this module is limited to 1.

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/api/components/sugg...
Matching conditions
status: 200and
word: "results":, "items":, "more":
Passive global matcher
No matching conditions.
On match action
Report vulnerability