Skip to content

CLI-526 Add a confirmation for the server selection#334

Merged
Krosovok merged 1 commit into
masterfrom
task/vt/CLI-526-server-confirmation
Jun 2, 2026
Merged

CLI-526 Add a confirmation for the server selection#334
Krosovok merged 1 commit into
masterfrom
task/vt/CLI-526-server-confirmation

Conversation

@Krosovok
Copy link
Copy Markdown
Contributor

@Krosovok Krosovok commented May 28, 2026
edited by gitar-bot Bot
Loading

Summary by Gitar

  • Security enhancement:
    • Added confirmServerTrust to prompt users to confirm server connection before authenticating.
    • Added security warning when connecting to non-SonarQube Cloud servers.
  • Logic updates:
    • Integrated trust confirmation into both --server flag and interactive server selection flows.
    • Updated integration tests to simulate user input for the new trust confirmation prompt.

This will update automatically on new commits.

@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented May 28, 2026
edited by atlassian Bot
Loading

CLI-526

@Krosovok Krosovok force-pushed the task/vt/CLI-526-server-confirmation branch from 50dc477 to a6ad4a3 Compare May 28, 2026 14:35
@Krosovok Krosovok force-pushed the task/vt/CLI-526-server-confirmation branch from a6ad4a3 to 46a2b74 Compare May 29, 2026 13:22
@Krosovok Krosovok force-pushed the task/vt/CLI-526-server-confirmation branch from 46a2b74 to 101b032 Compare June 1, 2026 14:46
sophio-japharidze-sonarsource
sophio-japharidze-sonarsource approved these changes Jun 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sophio-japharidze-sonarsource sophio-japharidze-sonarsource left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might need to test how this will look inside agent plugins that use integrate skill and are trying to set up connections themselves.

@Krosovok
Copy link
Copy Markdown
Contributor Author

Krosovok commented Jun 2, 2026

We might need to test how this will look inside agent plugins that use integrate skill and are trying to set up connections themselves.

Checked. The agent pre-filled the parameters and let the human run the command anyway.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Jun 2, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@Krosovok Krosovok merged commit ad36683 into master Jun 2, 2026
26 of 27 checks passed
@Krosovok Krosovok deleted the task/vt/CLI-526-server-confirmation branch June 2, 2026 08:48
@gitar-bot
Copy link
Copy Markdown

gitar-bot Bot commented Jun 2, 2026

Code Review ✅ Approved 1 resolved / 1 findings

Integrates trust confirmation for server connections into both CLI flags and interactive flows, successfully addressing the missing trust confirmation for config-discovered servers. No issues found.

✅ 1 resolved
Security: Missing trust confirmation for config-discovered servers

📄 src/cli/commands/auth/login.ts:289-291
In resolveServer, the discoverServer() path (line 289-291) returns a server URL read from local config files (sonar-project.properties or .sonarlint) without calling confirmServerTrust(). This means a self-hosted SonarQube server discovered from configuration bypasses the trust prompt, while the same URL provided via --server flag or interactive input would trigger it.

This creates an inconsistency in the security model: a malicious or unexpected config file could silently connect the user to an untrusted server without confirmation.

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply Compact 
gitar auto-apply:on         

gitar display:verbose

Was this helpful? React with 👍 / 👎 | Gitar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sophio-japharidze-sonarsource sophio-japharidze-sonarsource sophio-japharidze-sonarsource approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Krosovok @sophio-japharidze-sonarsource