How do I get Sonarcloud to run on pull requests from forks with Travis, Maven & github

Question

While looking into my recent question Sonarcloud failure with Travis, Maven & github I realised that I was asking the wrong question. I was trying to address a symptom r

Answer 1

As you've perfectly guessed, unless you hard-code your GitHub and SonarCloud tokens (which obviously you don't want, to not publicly unveil them), there is currently no way to analyze external pull requests. This is documented on the official SonarCloud Travis Add-on page.

We are currently actively working on a way to properly support this use case - and I hope we'll come up with something before the end of the year.

Answer 2

This is probably not the easy solution you are looking for but I do not think there is a much easier way to access secrets when building pull requests unless Travis adds support for it in some form. After all, the secret variables are not available for a good reason as pull requests can contain arbitrary code that gets executed during the build. An attacker might use this to create a pull request that changes the build process to read the decrypted environment variables and send them to him.

The underlying problem is that the code that is runs the build and the code that is built come from the same (sometimes untrusted) source. In order to be able to use secrets in the build process, the code that builds and the code that is built need to be separated and the build code needs to come from a trusted source. No code from the untrusted source must be executed unless it is sandboxed so that it cannot access any of the secrets.

To my knowledge Travis does not provide a standard method to achieve this.

By following the idea of separating build code and code being build, it should be possible nonetheless to execute a Sonarqube analysis against external pull requests.

First step would be to create a new repository "build code" on Github that contains only the trusted build scripts. These scripts are responsible for checking out the pull request and performing the Sonarqube analysis. As these are not part of the external pull request, they can access secret variables. Be careful, though, not to run the unit tests in the pull request as these are untrusted.

The second step is to trigger a build of the "build code" repository whenever a pull request is made against the actual source code repository. Travis provides an API to trigger builds. However, this also requires a secret. So we cannot simply trigger a build of the "build code" repository when building the pull request. What we can do, though, is to install a webhook on the source code repository on Github, that calls a small web service when a pull request is made. This service then calls the Travis API to trigger a build of the trusted build code repository.

I hope this makes sense. Please let me know if something is not clear.

I have not yet done this myself. So I cannot provide any code. But I think it shouldn't be too difficult to set up a small web service that turns a webhook from Github request into a build request for Travis.

Answer 3

There is request for support external pull request https://jira.sonarsource.com/browse/MMF-1371

I think good idea is vote for this issue.