SonarQube, an open-source product by SonarSource that claims to be "your teammate for Code Quality and Security", was the focus of adverse publicity recently when a computer consultant chose to publish proprietary source code from well-known companies on the internet – alleging it was largely obtained via badly configured SonarQube installations.
The code was leaked by Swiss computer consultant Tillie Kottmann, who boasts "probably leaking your code right now" on their Twitter profile, which also features a pinned tweet inviting anyone with "access to any confidential info, documents, binaries or source code, which you think should be made available to the public" to contact Kottmann "so we can discuss safely releasing it".
Kottmann published the code on a self-hosted GitLab repository and via a Telegram messaging channel, including source from Adobe, Microsoft, Lenovo, Fintech company iLendx, Gate Gourmet, Motorola, Qualcommm, Mediatek and more – though The Register understands much of it is of little interest.
The Microsoft folder was said to contain not the building blocks of Windows or SQL Server, but something ancient called Playready Trustedapp (for Amlogic platform), and we were told the Adobe folder included code for Behance, an image portfolio management product.
The incident did spark some anxiety, however, partly because Kottmann claimed they found instances of hardcoded credentials, though these were "generally stripped in the releases on a best effort basis". Kottmann apparently did not follow normal security best practice by informing companies of the vulnerability before posting the code, but did take down code on request.
Why the leaks? Was it to encourage companies not to be sloppy about securing their code? "That's definitely part of it," Kottmann told us, "but I'm also just very curious myself and so are many others. I find getting an insight into how (often badly unfortunately) proprietary software is built. And I guess at least some of my releases probably also have a hint of political motivation to them, though so far this has not yet led to abolishing capitalism and has mostly just made companies improve their security."
Kottmann claimed that much of the code was found in poorly secured repositories, many of which were leaked via SonarQube. Kottmann told The Register that while SonarQube does have built-in authentication, not everyone bothers with configuring it and that "it's just easy to misconfigure and I think a lot of companies don't realize that people can just download source code from there if they don't have any auth."
He said the insecure repositories are easy to find via internet searches. SonarQube is used by between 150,000 and 200,000 companies, SonarSource told us.
SonarSource CEO Olivier Gaudin has posted about the leaks, emphasising that access was because of "the way these specific SonarQube instances were configured, not because of a vulnerability in the SonarQube product itself". He made the point that SonarQube "is designed to sit behind the firewall", but the affected instances "are the ones that are accessible on the web and have not done the extra configuration to prevent unauthenticated access". SonarSource therefore implied that there was nothing to fix, though it will review "product improvements to better guide our users".
The argument that applications behind the firewall do not need securing is controversial. Simon Maple from open-source security specialist Snyk told us recently that "hackers love those developers" because "as soon as they do get past that firewall, it's party time".
Gaudin told us that the SonarQube is not as easy to get past as Kottmann implied. "What Tillie has done is not completely straightforward," he said.
He added that giving relatively free access to source code inside the firewall is often in tune with policy. "In most companies, when they use SonarQube, they want to make code completely transparent. People have read-only access to all source code," though this is "not true in all companies". That's why the default settings let users view the code anonymously. "This becomes a problem when you put it outside the firewall," he said.
Will the default be changed? "We have discussed this," Gaudin told us. "It's a trade-off between adoption and security. We may end up with a demo mode and a production mode, where the production default is private, and the demo mode is public because you want zero friction for trying the product."
The value of source code to hackers is variable. In many cases it's not worth much since it is still protected by copyright. An analogy would be that owning a book does not give you the right to profit by republishing it. But access to source code could still help criminals find ways to compromise commercial software, or to bypass protection against unauthorised use. Gaudin said: "There is an industry expectation that you should be able to protect your source code."
There is a long-standing problem with secrets such as database logins and passwords hardcoded in source code. Many developers, it seems, still struggle with this. Running automated tests is part of the DevOps chain, for example, and sticking credentials in the source code is an easy way to get these working.
For every person like Kottmann who is finding and leaking source code, there may be others who are more discreet and less well-intentioned.
Adobe told us: "We are aware of the site and worked with the respective parties to have the content removed. We have no evidence to suggest that any Adobe systems or customers have been compromised due to this issue." ®