Why Sonar-Runner talks to the local database?

Question

In the similar question Sonar-Runner talks to the local database "David RACODON - SonarSource" wrote:

The SonarQube Runner needs to talk to both the database and the web server.

I'm will try to understand why Sonar Runner talks do sonar database, because somebody who use sonar runner will known database user and password and do anything on it, for example change admin password and take control on Sonar instance.

On the other hand, at sonar runner docs (http://docs.sonarqube.org/display/SONAR/Installing+and+Configuring+SonarQube+Runner) I see info:

The SonarQube Runner is recommended as the default launcher to analyze a project with SonarQube.

So, it means that I should give database password to each developer of my team? This is inconsistent. Could somebody explain it?

Answer 1

SonarQube needs to talk to the database in order to save the results (metrics) of the analysis.

I will not talk about all the different possibilities that you can implement in order to avoid SonarQube's users to know the admin login, but here is the one I use:

1. SonarQube + Runner
2. Jenkins with Sonar plugin

This post (on my blog) is 1 year old http://qualilogy.com/en/install-sonarqube-the-sonarqub-jenkins-plugin/) but it will give you an idea.

You already have SonarQube + Runner installed.

1. Install Jenkins
2. Install SonarQube plugin for Jenkins
3. Configure the plugin:
   • Location of Runner
   • SonarQube dashboard URL
   • Connection to the DB : password is encrypted.

Then, when configuring and running an analysis from Jenkins, no need to use any DB login as a parameter.

Hope it helps.

Answer 2

As of version 5.2, this is no longer the case. Now, all DB credentials/connections are managed by Sonar itself, not the runner.