JRE cache: JRE downloads which download from sonar.scanner.sonarcloudUrl or sonar.scanner.apiBaseUrl should have an authentication header

[martin-strecker-sonarsource]

When downloading resources (JRE, scanner engine, …), special care should be taken not to leak the token to a third-party endpoint. If the downloadUrl starts with the same path as sonar.host.url or sonar.scanner.apiBaseUrl, then the token should be passed. Otherwise, we assume there is no authentication required.

From the spec

We do not pass the token if the download URL starts with either sonar.scanner.sonarcloudUrl or sonar.scanner.apiBaseUrl

See #2024 (comment)

[costin-zaharia-sonarsource]

Hi @martin-strecker-sonarsource, this is not very clear. Could you please add to the description what is the expected new behavior?

[martin-strecker-sonarsource]

According to the spec, a bearer token should be sent when downloading the JRE if the download URL returned by the server starts with either the sonar.scanner.sonarcloudUrl or the sonar.scanner.apiBaseUrl path. So if the returned JSON from the JRE endpoint returns something like, e.g.

{
    "downloadUrl": "https://myserver/SonarQube/api/JRE/download",
}

and either sonar.scanner.sonarcloudUrl or sonar.scanner.apiBaseUrl are either of these values

• https://myserver/
• https://myserver/SonarQube/
• https://myserver/SonarQube/api/

then the Bearer token should be sent.