UNCLASSIFIED - NO CUI

sonarqube update to 2025.6.1-bb.2

BB_AUTO_MR_TOKENrequested to merge
update-sonarqube-tag-2025.6.1-bb.2 into master

Package Merge Request

Package Changes

https://repo1.dso.mil/big-bang/product/packages/sonarqube/-/blob/2025.6.1-bb.2/CHANGELOG.md

Package MR

big-bang/product/packages/sonarqube!269 (merged)

For Issue

Closes big-bang/product/packages/sonarqube#195 (closed)

Upgrade Notices

Sonarqube is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.

Please note that two new definitions have been created as part of this integration to allow these policies to be more tailored to a given environment:

      sonarsource-marketplace:
        to:
          - ipBlock:
              cidr: "0.0.0.0/0"
              except:
                - 169.254.169.254/32
        ports:
          - port: 443
            protocol: TCP

This policy allows communication to the sonarsource marketplace which is required for receiving updates to any installed plugins. Currently, this will be enabled automatically if any plugins are specified in the helm chart for Sonarqube or if networkPolicies.egressHttps.enabled is set to true.

NOTE: Unfortunately, Sonarsource does not have a documented list of IP addresses or ranges they use, but if this changes in the future the cidr value can be updated to further restrict access.

      code-repository:
        to:
          - ipBlock:
              cidr: "0.0.0.0/0"
              except:
                - 169.254.169.254/32
        ports:
          - port: 443
            protocol: TCP

This network policy is enabled by default as it allows Sonarqube to access the code repository in order to perform its desired function. The cidr section can be updated to reflect the proper IP address for your code repository. It is also automatically enalbed if networkPolicies.egressHttps.enabled is set to true.

Both definitions can be disabled/enabled manually as well if needed as shown below:

networkPolicies:
  egress:
    from:
      sonarqube:
        podSelector:
          matchLabels:
            app: sonarqube
        to:
          definition:
            sonarsource-marketplace: false # To disable access to Sonarsource marketplace
            code-repository: false # To disable access to a code-repository

NOTE: Please note that the networkPolicies.egressHttps.enabled value will be deprecated in the next major Big Bang release (4.0) so it is recommended to switch over to using the new definitions provided by bb-common. If you wish to disable either of the above mentioned definitions the value of networkPolicies.egressHttps.enabled must also be set to false.

Edited by Jimmy Bourque

Merge request reports

UNCLASSIFIED - NO CUI