From 6bee2d5ea8bb8b6796cf8ece4f6937e7870459d2 Mon Sep 17 00:00:00 2001 From: Fabrice Bellingard Date: Tue, 26 Jun 2018 10:19:59 +0200 Subject: [PATCH] SONARCLOUD-90 Add Security Page for SonarCloud --- server/sonar-docs/src/pages/security.md | 49 +++++++++++++++++++ .../app/components/GlobalFooterSonarCloud.tsx | 3 ++ .../GlobalFooterSonarCloud-test.tsx.snap | 11 +++++ .../main/js/apps/about/sonarcloud/Footer.tsx | 5 ++ .../resources/org/sonar/l10n/core.properties | 1 + 5 files changed, 69 insertions(+) create mode 100644 server/sonar-docs/src/pages/security.md diff --git a/server/sonar-docs/src/pages/security.md b/server/sonar-docs/src/pages/security.md new file mode 100644 index 00000000000..395d1a85644 --- /dev/null +++ b/server/sonar-docs/src/pages/security.md @@ -0,0 +1,49 @@ +--- +title: SonarCloud Security +scope: sonarcloud +--- + +We know that your code is very important to you and your business. We also know that no one wants proven bugs or vulnerabilities found on their source code to be unveiled to third-parties. This is why we take security extremely seriously. + +## Hosting + +SonarCloud is hosted on Amazon AWS in Frankfurt. + +## System security + +We keep system up to date, OS packages are updated at least weekly. SonarCloud is on its own AWS VPC. We have firewall at VPC and VM level. + +Except the Operations team, no SonarSource employee has access to the system, especially the database which stores source code and analysis results. + +The Operations team has access to the system through secured channels (SSH) only. + +## Data security + +All the data is stored on a Postgres RDS instance which only the Operation has access to. + +Isolation of data per organization is ensured at software level, which secures access to source code to organization members only. + +The source code is not encrypted in the database, but the access to the database is restricted to SonarSource operations team and can be done only through a SSH tunnel. + +The DB is backed up everyday by Amazon RDS mechanism, with 7 days retention. + +## Software security + +The Web Application and Web APIs regularly pass penetration testing conducted by a an external company, specialized in cyber and application security, certified in accordance to ISO-27001 and which is also member of the OWASP. + +## Communications + +All communications are done over TLS 1.2: +* Navigating in the Web application +* Using WS APIs +* Running analysis (by the scanners) from CI services and pushing analysis reports to SonarCloud + +## Authentication + +Primary authentication on the system is available only through OAuth authentication with GitHub, Bitbucket Cloud and Microsoft VSTS. As a consequence, users don’t have a password on SonarCloud, and are as protected as what they expect (especially with 2FA activated on those systems). + +For WS API calls or source code analysis triggered from CI services, only revocable user tokens are accepted. + +## Payment + +When you subscribe to the paid plan on SonarCloud, your credit card information never transit through our system nor it gets stored on the server. It's handed off to [Braintree Payment Solutions](https://www.braintreepayments.com), a company dedicated to storing your sensitive data on [PCI-Compliant](http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard) servers. diff --git a/server/sonar-web/src/main/js/app/components/GlobalFooterSonarCloud.tsx b/server/sonar-web/src/main/js/app/components/GlobalFooterSonarCloud.tsx index 87d9cb5d715..3c45ab1a6e1 100644 --- a/server/sonar-web/src/main/js/app/components/GlobalFooterSonarCloud.tsx +++ b/server/sonar-web/src/main/js/app/components/GlobalFooterSonarCloud.tsx @@ -59,6 +59,9 @@ export default function GlobalFooterSonarCloud() {
  • {translate('footer.privacy')}
    • +
  • + {translate('footer.security')} +
    • +
  • + + footer.security + +
  • diff --git a/server/sonar-web/src/main/js/apps/about/sonarcloud/Footer.tsx b/server/sonar-web/src/main/js/apps/about/sonarcloud/Footer.tsx index 327e3d7875f..202ae9f353c 100644 --- a/server/sonar-web/src/main/js/apps/about/sonarcloud/Footer.tsx +++ b/server/sonar-web/src/main/js/apps/about/sonarcloud/Footer.tsx @@ -103,6 +103,11 @@ export default function Footer() { Privacy
    • +
  • + + Security + +
    • diff --git a/sonar-core/src/main/resources/org/sonar/l10n/core.properties b/sonar-core/src/main/resources/org/sonar/l10n/core.properties index 0027ae95882..65e77118171 100644 --- a/sonar-core/src/main/resources/org/sonar/l10n/core.properties +++ b/sonar-core/src/main/resources/org/sonar/l10n/core.properties @@ -2577,6 +2577,7 @@ footer.plugins=Plugins footer.privacy=Privacy footer.production_database_explanation=The embedded database will not scale, it will not support upgrading to newer versions of {instance}, and there is no support for migrating your data out of it into a different database engine. footer.production_database_warning=Embedded database should be used for evaluation purpose only +footer.security=Security footer.support=Get Support footer.status=Status footer.terms=Terms -- 2.39.5